Skype patches medium-risk security hole

Skype is advising users to upgrade to a more recent version of its VoIP software to fix a security bug reported late last week by a security researcher in New Zealand.

The bug affects several versions of the Skype client for Windows and could allow an attacker to download a file from an affected PC without permission. Skype rated the vulnerability "medium risk."

It stems from a flaw in the way the Skype client handles a type of URI, or Uniform Resource Indicator, which provide a standard way to access resources on the Internet. Skype installs several URI handlers during a typical client installation.

To fall victim, a Skype user would have to be tricked into visiting a Web page set up by the attacker, said Brett Moore, a security researcher with Security-Assessment.com, who was credited with finding the hole.

The attacker needs to know the location of the file he wants to transfer, and must also have added the victim to his contact list.

The bug affects all releases of Skype for Windows up to and including version 2.0.x.104, as well as version 2.5.x.0 up to and including 2.5.x.78. Skype advised users to upgrade to Skype 2.5, release 2.5.x.79 or later, or Skype 2.0, release 2.0.x.105 or later.

It's the first security bulletin issued by Skype in about seven months. Last year it issued three bulletins, two rated high risk and one low risk.

The latest bulletin can be read here.

An advisory from Security-Assessment.com, in PDF format, is at http://www.security-assessment.com/Advisories/Skype_URI_Handling_Vulnerability.pdf

The IDG News Service is a Network World affiliate.