Canais
| Vulnerabilidades no SKYPE |
 |
 |
- Categoria: Alertas
- quarta, 26 outubro 2005 10:57
| Sistemas Operativos Implicados: | Windows XP/NT/2K/Me/98/95, Linux, MacOS |
| Aplicações Implicadas: | Indefinido |
Foram reportadas algumas vulnerabilidades no Skype, que podem ser exploradas de forma a causar Denial of Service, ou comprometimento de conta de um utilizador do sistema.
Description:
Some vulnerabilities have been reported in Skype, which can be exploited
by malicious people to cause a DoS or to compromise a user"s system.
1) A boundary error exists when handling Skype-specific URI types e.g.
"callto://" and "skype://". This can be exploited to cause a buffer
overflow and allows arbitrary code execution when the user clicks on a
specially-crafted Skype-specific URL.
The vulnerability is related to:
SA13191
2) A boundary error exists in the handling of VCARD imports. This can be
exploited to cause a buffer overflow and allows arbitrary code execution
when the user imports a specially-crafted VCARD.
Vulnerability #1 and #2 has been reported in Skype for Windows Release
1.1.*.0 through 1.4.*.83.
3) A boundary error exists in the handling of certain unspecified Skype
client network traffic. This can be exploited to cause a heap-based
buffer overflow.
Successful exploitation crashes the Skype client.
The vulnerability has been reported in the following versions:
* Skype for Windows Release 1.4.*.83 and prior.
* Skype for Mac OS X Release 1.3.*.16 and prior.
* Skype for Linux Release 1.2.*.17 and prior.
* Skype for Pocket PC Release 1.1.*.6 and prior.
Solution:
Update to the fixed version.
http://www.skype.com/download/
Skype for Windows:
Update to Release 1.4.*.84 or later.
Skype for Mac OS X:
Update to Release 1.3.*.17 or later.
Skype for Linux:
Update to Release 1.2.*.18 or later.
Skype for Pocket PC:
No patch is yet available.
Provided and/or discovered by:
1-2) Mark Rowe and Joe Moore, Pentest Limited.
3) Imad Lahoud, EADS Corporate Research Center.
Changelog:
2005-10-25: Updated credit and "Original Advisory" sections.
Original Advisory:
Skype:
http://www.skype.com/security/skype-sb-2005-02.html
http://www.skype.com/security/skype-sb-2005-03.html
Pentest Limited:
http://www.pentest.co.uk/documents/ptl-2005-01.html
Other References:
SA13191:
http://secunia.com/advisories/13191/
Missão
O CERT.PT tem como missão contribuir para o esforço de cibersegurança nacional nomeadamente no tratamento e coordenação da resposta a incidentes, na produção de alertas e recomendações de segurança e na promoção de uma cultura de segurança em Portugal.
Contactos
Av. do Brasil 101
1700-066 Lisboa
Portugal
Tel: +351 218440177 (9h30-12h30, 14h00-17h30; GMT)
Fax: +351 218472167
email:
pgp: 342A 17BA DF71 E193 6871 0357 8BDE A247 C523 AAE7
Filiação
