VoIP Darling Skype Divulges Flaws In All Clients

Skype acknowledged Tuesday that all its VoIP (Voice over Internet Protocol) clients suffer from bugs that leave machines susceptible to crashes and/or open them to attacks that could take control of the computers. But even as it patched the software, one analyst questioned how the popular service carried out the fix.

The flaws, which were reported by Danish vulnerability tracker Secunia and judged a "Highly critical" problem, involve the Windows, Linux, Mac OS X, and Pocket PC versions of the Skype client.

But even as Skype released patches for all but the bug in Pocket PC, Lawrence Orans, a research director at Gartner and an expert on VoIP security, questioned the company's ability to deliver a secure network.

"Earlier this year, when Microsoft's instant messenger client was vulnerable, Microsoft shut down [MSN] and then when users tried to connect, required them to update to a patched client. Microsoft essentially did our vulnerability management for us," said Orans.

Not so with Skype. When TechWeb launched a vulnerable version of the Windows client Tuesday, Skype did not require an update to connect to its network. Nor did it offer the fixed version when the client's "Check for Update" feature was selected, but instead presented another vulnerable edition.One of the Skype bugs -- found by a pair of researchers from U.K.-based security firm Pentest, Limited -- affects Skype for Windows 1.1.0.0 through - 1.4.0.83, and can be used by attackers to first generate a buffer overflow on the PC, then use that to drop additional code on the computer. All the attacker needs to do is convince a user to click on a malicious Skype-style URL.

"In addition, Skype can be made to execute arbitrary code during importation of a VCARD that is in a specific non-standard format," wrote the Pentest researchers, Mark Rowe and Joe Moore, in their advisory.

Skype fixed the flaw and released an updated Windows client, version 1.4.0.84, which can be downloaded from the Luxembourg-based company's Web site.

The second security bulletin released Tuesday affects all current clients -- Windows, Mac, Linux, and Pocket PC -- but according to Skype, doesn't pose as much of a danger.

An attacker would need to send a stream of specially-crafted network traffic to a Skype client to cause a crash.Skype fixed this problem for the Windows, Mac OS X, and Linux clients, but not for Pocket PC. "No patch is yet available," said Skype in the bulletin about Pocket PC. Windows, Linux, and Mac users should download the new client immediately.

On the same day Skype patched the vulnerabilities, the Computing Technology Industry Association (CompTIA) released a survey of small- and mid-sized businesses that put VoIP at the bottom of the trust ladder.

According to the CompTIA's poll, only 48 percent of the businesses surveyed currently trust IP telephony's security. By comparison, 76 percent said they trusted the security of traditional telephone networks and 65 percent said they trusted cabled computer networks.

IP telephony even lagged behind wireless, traditionally a part of the communications infrastructure that raises the most security suspicions: 55 percent of the respondents said they trusted wireless, beating VoIP by 7 points.

Those number don't surprise Gartner's Orans. "Concern over security has grown since the beginning of the year," he said, fueled in large part by the relatively new protocols that VoIP relies on, and their inherent insecurity."They're risky because they've not [yet] faced the same level of scrutiny as other protocols," he said.

"Voice is the most mission critical application in business," he added. "Any time you make changes to voice, jobs and careers are on the line."

In fact, Gartner has recommended that business steer clear of Internet telephony solutions like Skype, citing security as the basis of its concern. "We advise businesses not to use Skype, because it uses port 443 or port 80, which should be used for SSL and HTTP [respectively]. Companies that allow Skype have more lax firewall policies than are desirable."

eBay, which two weeks ago closed on its acquisition of Skype, did not respond to a call for comment on the VoIP vulnerabilities.

Coincidentally, Tuesday also marked the public debut of Skype Groups, a business-centric service aimed at smaller firms which want to manage multiple Skype users under one master account.0