Skype security features

We recently disabled the ability to use Skype's Live tab to download clips from the Dailymotion and Metacafe video galleries. We took this step as a cautionary measure after security researchers found a vulnerability in Skype 3.5 and 3.6 for Windows that would have allowed an attacker to execute arbitrary code on a Skype user’s Windows PC without their consent.

As we said in our post on January 18, the measure would be temporary. That is, until an official fix to the vulnerability would be made available. We are pleased to report that the core vulnerability has now been addressed and a fix is included in the latest build of Skype for Windows, 3.6.0.248.

For those who have upgraded to the latest build, we have now re-enabled video downloads from both Dailymotion and Metacafe. Users of older versions of Skype for Windows will not be able to access these video galleries and will need to upgrade.

Last but not least, we'd like to encourage all users to frequently upgrade their version of Skype. This helps ensure that the Skype experience is safer and more enjoyable.

A vulnerability that allowed an attacker to execute arbitrary code on a Skype user's Windows PC without their consent has been discovered in Skype and on Dailymotion, the video-sharing site where Skype users can download video clips and add them to their Skype moods and chats.

The vulnerability had the potential to affect users of Skype 3.5 and 3.6 for Windows who, in Skype's video gallery, navigated to a Dailymotion video with a specially crafted title.

The issue, demonstrated by security researchers as a proof of concept, was neutralized before actual attackers took advantage of it, therefore Skype users are unlikely to have been affected. Skype has temporarily disabled users' ability to add videos from the Dailymotion gallery until an official fix has been made available. In turn, Dailymotion is addressing the vulnerability on their web site.

For a more detailed description of the issue, please see the most recent Skype Security Bulletin.

Update: We've also temporarily disabled the ability to add videos from the Metacafe video gallery. Both Dailymotion and Metacafe videos will be re-enabled as soon as an official fix has been made available.

- - -

Final update on Feb. 6, 2008 - the issue has been resolved. Please see today's post for more information.

In early November, Zero Day Initiative informed Skype of a vulnerability that allows a remote attacker to execute arbitrary code, provided that the user visits a malicious website.

The flaw exists within the skype4com URI handler component of Skype. An exploitable memory corruption may occur during the parsing of URIs which can result in arbitrary code execution under the user rights of the current Windows account.

The issue was fixed in the public release of Skype 3.6 for Windows. All versions of Skype for Windows updated or installed as of November 15 include the patch.

At Skype, we strive to inform the public of vulnerabilities and malware that may affect Skype software. While this particular vulnerability was fixed, there was an unintentional communication oversight and we failed to bring the case to the public's attention. All we can do now is to apologize.

Meanwhile, we'd like to advise users to always upgrade to the latest version of Skype. This ensures access to the latest features, improvements and fixes, and helps get the most out of your Skype experience.

One of our goals for 2006 was to make it easier for companies to deploy and manage Skype for Windows in a managed environment. I'm happy to say that by the end of 2006, we'd rolled out a native Microsoft Installer (msi) format installer for Skype (you can download it from the Skype for Business website). This should make it far easier to deploy Skype in a Windows domain than using the native Skype installer.

Continue reading "Deploying Skype in a Windows domain" »

I just got back from Japan, where we held a seminar about Skype security features with some developers and customers. One of the things I learned was that we haven't gotten the word out about the ways that IT administrators can set enterprise-wide policies on Windows computers running Skype. There are a couple of controls that were very important to the IT administrators I spoke with, and those were features to disable API interfaces and to disable file transfers on a particular instance of Skype.

Continue reading "Admin control of Skype features" »

Hi, I’m Kurt Sauer, Skype’s CSO. Over the coming weeks, I’d like to talk about some of the different security features in Skype and where we’re going with them. This month (February 2006) marks my second year here, which, in Skype-years, is nearly an eternity. Over that time, we’ve been able to put on the street one of the largest functional PKI-based communications systems in the world, so I thought that talking about PKIs would be a good starting point.

While I suppose it isn’t the most glamorous piece of our products, the Skype PKI (public key infrastructure) is an important component of what makes Skype work. Last year, Brad Templeton described Skype’s PKI as a ZUI (Zero User Interface) system. (I liked the way he put it so much that I still have the original article bookmarked.)

Continue reading "ZUI and the Skype PKI" »