Multiple security flaws in the popular Skype voice chat application could put millions of users at risk of computer takeover attacks, the company acknowledged Tuesday.
Skype Technologies S.A., which is being acquired by eBay Inc., warned in two separate advisories that the vulnerabilities could lead of system access or denial-of-service attacks.
The Skype program, which uses peer-to-peer technology to route phone calls over the Internet, is one of the most popular desktop applications sitting behind firewalls, making the threat vector even more serious.
Internet security researchers have long warned that flaws in Internet-facing desktop applications that sit behind a firewall present a lucrative target for malicious hackers.
The acknowledgement of security holes in Skype comes at a crucial time for the company, which counts about 60 million registered enterprise and consumer users.
Skype is adding 170,000 new subscribers every day, and the rapid growth means that the company has almost doubled its number of registered users in the last six months. About 30 percent are paying customers.
Security alerts aggregator Secunia Inc. rates the risk from the flaws as “highly critical” and urged users to apply the appropriate patches immediately.
The more serious of the two bugs is a boundary error that exists when Skype-specific URI types like “callto://” and “skype://” are handled by the application.
This can be exploited to cause a buffer overflow and allows arbitrary code execution, according to an alert posted on the Skype Security Center.
Affected software versions include Skype for Windows Releases 1.1.*.0 through 1.4.*.83.
Skype for Windows users is also vulnerable to remote code execution attacks because of a separate boundary error in the handling of VCARD imports. The company acknowledged that a malicious hacker could create a special VCARD to launch an attack when the card is imported into the client.
A third boundary error flaw was also identified in the way the program handles certain Skype client network traffic. This can be exploited to cause a heap-based buffer overflow.
Successful exploitation crashes the Skype client.
The denial-of-service vulnerability affects Skype for Windows Release 1.4.*.83 and prior, Skype for Mac OS X Release 1.3.*.16 and prior, Skype for Linux Release 1.2.*.17 and prior and Skype for Pocket PC Release 1.1.*.6 and prior.
Skype has posted software fixes for most affected users. There is no patch available yet for Skype for Pocket PC users.
There are no reports of public exploits for the vulnerabilities.