[gui-talk] Article: Kiwi security expert finds flaw in Skype

[Steve Pattison]

This article is taken from the New Zealand Computer World home page 
at http://computerworld.co.nz.  -Steve.

Kiwi Security Expert Finds Flaw in Skype

By Ulrika Hedquist and Juha Saarinen, Auckland | Tuesday, 6 June, 2006

A security flaw in Skype's peer-to-peer VoIP software has been 
closed, thanks to
diligent work by a Kiwi security expert.

Auckland-based Brett Moore, CTO of Australian, independent security 
company Security-Assessment.com,
uncovered the flaw in Skype's software. Skype is now advising users 
to upgrade to
its latest version to fix the bug.

Moore says that the type of vulnerability found in Skype is fairly 
common with applications
that interact with internet browsers.

"We have previously discovered this type of vulnerability in two 
separate programs
and there are public releases of similar issues in other programs," he says.

The security flaw manifests itself through the way Skype handles 
Uniform Resource
Identifiers (URIs) that point to names or addresses referring to resources.

Security-Assessment.com discovered that with one type of URI handler 
installed by
Skype it was possible to include additional command-line switches. 
One such switch
will set up a file transfer session that will allow data written to 
the local hard
disk to be sent to another Skype user.

For an attacker to successfully exploit the flaw he must know the 
exact name and location
of the file he wants to transfer on the victim's computer. The 
attacker must also
authorise the victim, Security-Assessment.com says. This is easily 
done, with the
attacker simply adding the victim to his contact list.

There are further URI handler flaws in Skype, Security-Assessment.com 
says. Other
command-line switches could be exploited to manipulate or obtain 
victims' Skype user
credentials.

Security-Assessment.com regularly performs application testing for 
its customers
or as part of its own R&D, says Moore.

"In this case, we were reviewing Skype as part of a larger VoIP 
research programme.
Often we will notice what appears to be the potential for a 
vulnerability and investigate
further."

Moore says that a targeted attack is required to exploit this 
particular vulnerability.
"The person to be exploited must be specifically selected and they 
must be convinced
to browse to a web page or click on a hyperlink," he says. "While 
there are certain
mitigating factors involved in a successful attack, the potential is 
there for an
attacker to steal confidential files, including the user's Skype 
configuration."

Theft of the Skype configuration could lead to further attacks such 
as ID theft,
or listening in on users' conversations, he says.

"The best solution is to install the vendor-supplied update," Moore says.

"As always, users should be aware of malicious emails and email attachments."

When discovering security flaws the company works directly with the 
vendor involved
to help secure their software, Moore says.

"Skype was very happy to work with us on this issue. They phoned me 
shortly after
receiving our security report and kept me up to date with their 
progress," he says.
"During the patch development they called me to discuss further 
details, and sent
me a pre-release install to verify that they had fixed the problem."

Moore was a little surprised to find the bug in Skype because it has 
already undergone
independent security reviews, and also because of the large numbers of users.


Regards Steve
Email:  srp at internode.on.net
Skype:  steve1963
MSN Messenger:  internetuser383 at hotmail.com