A highly critical security vulnerability has been discovered in various flavours of the Skype IP telephony software.
A boundary error exists when handling Skype-specific URI types such as ‘callto://’ and ‘skype://’. This can be exploited to cause a buffer overflow and allows arbitrary code execution when the user clicks on a specially-crafted Skype-specific URL.
According to Secunia, the vulnerability is related to a boundary error in the handling of VCARD imports. It can be exploited to cause a buffer overflow and allows arbitrary code execution when the user imports a specially-crafted VCARD. There can also be annother boundary error in the handling of certain unspecified Skype client network traffic, which can be exploited to cause a heap-based buffer overflow. For more information go to secunia.com/advisories/17305/.
Users of Skype for Linux, Mac OS X, Pocket PC and Windows should update to the latest version at www.skype.com/download.
