Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

VoIP Darling Skype Divulges Flaws In All Clients: Page 2 of 5

One of the Skype bugs -- found by a pair of researchers from U.K.-based security firm Pentest, Limited -- affects Skype for Windows 1.1.0.0 through - 1.4.0.83, and can be used by attackers to first generate a buffer overflow on the PC, then use that to drop additional code on the computer. All the attacker needs to do is convince a user to click on a malicious Skype-style URL.

"In addition, Skype can be made to execute arbitrary code during importation of a VCARD that is in a specific non-standard format," wrote the Pentest researchers, Mark Rowe and Joe Moore, in their advisory.

Skype fixed the flaw and released an updated Windows client, version 1.4.0.84, which can be downloaded from the Luxembourg-based company's Web site.

The second security bulletin released Tuesday affects all current clients -- Windows, Mac, Linux, and Pocket PC -- but according to Skype, doesn't pose as much of a danger.

An attacker would need to send a stream of specially-crafted network traffic to a Skype client to cause a crash.