Skype acknowledged Tuesday that all its VoIP (Voice over Internet Protocol) clients suffer from bugs that leave machines susceptible to crashes and/or open them to attacks that could take control of the computers. But even as it patched the software, one analyst questioned how the popular service carried out the fix.
The flaws, which were reported by Danish vulnerability tracker Secunia and judged a "Highly critical" problem, involve the Windows, Linux, Mac OS X, and Pocket PC versions of the Skype client.
But even as Skype released patches for all but the bug in Pocket PC, Lawrence Orans, a research director at Gartner and an expert on VoIP security, questioned the company's ability to deliver a secure network.
"Earlier this year, when Microsoft's instant messenger client was vulnerable, Microsoft shut down [MSN] and then when users tried to connect, required them to update to a patched client. Microsoft essentially did our vulnerability management for us," said Orans.
Not so with Skype. When TechWeb launched a vulnerable version of the Windows client Tuesday, Skype did not require an update to connect to its network. Nor did it offer the fixed version when the client's "Check for Update" feature was selected, but instead presented another vulnerable edition.