Reviews and news

Earlier this week, security researchers at the Microsoft Malware Protection Center discovered that some Microsoft antimalware products such as Windows Live OneCare were incorrectly identifying some versions of Skype as malware. Such products may stop Skype’s operation and falsely notify the user about the following malware: Trojan:Win32/Vundo.gen!D.

The issue may have affected users of the following Microsoft antimalware products: Microsoft Forefront Client Security, Windows Live OneCare and Windows Live OneCare Safety Scanner. Microsoft has already released an update (a fixed signature file) which was pushed to users of Microsoft's antimalware products.

Once the fixed signature is deployed, Skype should be able to run normally. The fix is included in signature files version 1.31.9121.0 and higher. More information is available here.

We recently disabled the ability to use Skype's Live tab to download clips from the Dailymotion and Metacafe video galleries. We took this step as a cautionary measure after security researchers found a vulnerability in Skype 3.5 and 3.6 for Windows that would have allowed an attacker to execute arbitrary code on a Skype user’s Windows PC without their consent.

As we said in our post on January 18, the measure would be temporary. That is, until an official fix to the vulnerability would be made available. We are pleased to report that the core vulnerability has now been addressed and a fix is included in the latest build of Skype for Windows, 3.6.0.248.

For those who have upgraded to the latest build, we have now re-enabled video downloads from both Dailymotion and Metacafe. Users of older versions of Skype for Windows will not be able to access these video galleries and will need to upgrade.

Last but not least, we'd like to encourage all users to frequently upgrade their version of Skype. This helps ensure that the Skype experience is safer and more enjoyable.

Update on Nov 29: The issue is now resolved. For more details, please read my post on the Skype Mac blog.

- - - - -

Like a lot of people in the Mac community, we're excited that Mac OS X Leopard is now out in the wild. As you may have read, Skype runs into trouble when Leopard's firewall is activated. At the moment, this affects a minority of Skype users.

However, we wanted to let you know that we're embracing Apple's new security efforts. By doing so, we're continuing to ensure that Skype for Mac is the most secure internet-calling platform a Mac user can get. Our engineers are tweaking Skype for Mac and as soon as safely possible, the issue will be resolved. In a few weeks, the fix will be included in an updated version of Skype that has a loving relationship with the Leopard firewall.

(Updated Feb 9 with some more context.)

One of the new features in Skype for Windows is the Extras Gallery. (Extras are third-party plug-ins that let users expand Skype functionality. See extras.skype.com for what's available.) The Gallery is managed by a plug-in manager software framework developed by EasyBits Software and used under license.

The EasyBits software includes a form of digital rights management functionality intended to protect commercial software, such as plug-ins, from illegal redistribution or unlicensed use. Simply put, the EasyBits DRM framework helps us ensure compliance with software usage and distribution.

To enforce these license agreements, the EasyBits framework attempts to uniquely identify what physical computer it’s running on. One way to do this identification is to simply read the serial number of the motherboard, which is often available through a public query to the BIOS.

It is quite normal to look at indicators that uniquely identify the platform and there is nothing secret about reading hardware parameters from the BIOS. The function calls to do this are public and are available to any software running on your computer. Of course, in line with our Privacy Agreement, Skype does not retrieve any of this data. It is only used by the EasyBits software to ensure that plug-in use complies with the appropriate license token or key.

Since we learned that EasyBits DRM did not perform well on some newer platforms, we updated the version of their framework with one that no longer attempts to read from the BIOS. The current download of Skype for Windows, version 3.0.0.216, includes this updated framework.

It's hard to believe that 2006 is almost at an end, so I thought I'd better take advantage of this moment to say thanks to everyone who's contributed to making this year a successful one for Skype and for my security team. There are lots of people inside Skype I'd like to recognise, but in doing so I'm sure I'll miss someone, so maybe it's best to just say a general "thank you" to everyone who's worked so hard to improve our product security and customer communications.

I'd like to express my appreciation to those in the incident response community, the membership of FIRST, and the security researcher community who have been so willing to share their findings and observations with us this year. We truly value your contributions and we pledge to continue to listen to your ideas and thoughts in the coming months and years.

Finally, I'd like to offer my personal thanks to my colleagues and friends both in the information security industry and in my shodokan aikido club for your personal support during this extremely busy year. I don't know if I could have done it without you.

Happy holidays,

Kurt Sauer
CSO, Skype

Last Friday (2006-05-19) we issued a Skype Security Bulletin that describes a bugfix in the way that certain Skype weblinks are handled. I wanted to give a bit of explanation about what this means and how to upgrade to the newest version.

Continue reading "Keeping Skype safe" »

In early March 2006, someone at maxxuss.com posted a way to patch Skype so that 10-way voice conference calling is enabled, regardless of the speed or type of processor installed on the platform. (It's a rather clever idea; the author should consult jobs.skype.com. But I digress.)

The description I've read of the patch would not compromise Skype or alter the program's functionality. Instead, it would simply report to the Skype application inaccurate information about the type of computer processor on which the program is running. Of course, we have no idea whether the patches that are circulating around make other changes that are as yet undocumented.

We would like to point out that patching the Skype binary (or any software, for that matter) with unknown code is generally considered to be a very dangerous practice. We digitally sign our software (on Windows, this is done with Authenticode signatures) and we strongly encourage users to both verify the digital signature of our software and to not tamper with the program's integrity.

Yesterday, Skype reacted to reports of security vulnerabilities in its product by releasing software updates and widely circulating information about how to resolve the problem. Skype users may download the upgrade free of charge from Skype's website, [http://www.skype.com](http://www.skype.com).

Continue reading "Responding to security vulnerabilities" »

Ever since Skype was launched, we have said it is, and will remain, secure. Your Skype-to-Skype calls, chats and other communications are end-to-end encryped.

What sometimes happens is that after claiming this, we get asked "you say you're secure... so prove it". That's a valid question -- anyone can claim anything about their own product. We have recognized that you want more assurance than we say ourselves. So we did a comprehensive external security review of Skype, focusing on its encryption methods.

We're happy to report that the work is now complete and you can [download the full report](http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf) from [Skype security center](http://www.skype.com/security) ([PGP signature](http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf.sig)). There's also an [executive summary](http://share.skype.com/images/stories/images/blog/products/2005-031 security evaluation execsum.pdf) available. Note that while the full report was compiled by [Dr. Tom Berson](http://www.anagram.com/berson/index.html) from [Anagram Laboratories](http://www.anagram.com/), the summary is written in-house by Skype based on the full report.

In short, the conclusion of the report is that Skype uses standards-based methods and a sound design to secure its users, software and system, and does what it says -- is secure. Of course, security is never "done", so security continues to be an important track in all Skype developments and operations.

Continue reading "Skype security and encryption review now available" »