[NT] Skype File URI Security Bypass Code Execution Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

Skype File URI Security Bypass Code Execution Vulnerability


Skype is "a freely available VOIP client that allows access to chat and
video conference with other Skype users and traditional telephone
numbers". Remote exploitation of a security policy bypass in Skype could
allow an attacker to execute arbitrary code in the context of the user.


Vulnerable Systems:
* Skype version

Immune Systems:
* Skype version

The "file:" URI handler in Skype performs checks upon the URL to verify
that the link does not contain certain file extensions related to
executable file formats. If the link is found to contain a blacklisted
file extension, a security warning dialog is shown to the user. The
following file extensions are checked and considered dangerous by Skype;
ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll,
eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.

Due to improper logic when performing these checks, it is possible to
bypass the security warning and execute the program. First of all,
checking is performed using a case sensitive comparison. The second flaw
in this check is that the blacklist fails to mention all potential
executable file formats. By using at least one upper case character, or
using an executable file type that is not covered in the list, an attacker
can bypass the security warning.

Exploitation of this issue allows an attacker to execute arbitrary code on
the targeted user's machine. An attacker would need to persuade a targeted
user to click a "file:" URI pointing to a malicious executable.

Vendor response:
Skype has addressed this vulnerability by releasing version For
more information consult their advisory at the following URL.

CVE Information:

Disclosure timeline:
05/16/2008 - Initial vendor notification
05/17/2008 - Initial vendor response
06/04/2008 - Coordinated public disclosure


The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages