Skype recently released an update to their Windows client to fix a major security issue. The Skype advisory is SB/2008-003: Skype File URI Security Bypass Code Execution Vulnerability. The latest Skype for Windows client is now 3.8.0.139.

There are some more details of the vulnerability on the iDefense Labs advisory page.

II. DESCRIPTION

Remote exploitation of a security policy bypass in Skype could allow an attacker to execute arbitrary code in the context of the user.

The "file:" URI handler in Skype performs checks upon the URL to verify that the link does not contain certain file extensions related to executable file formats. If the link is found to contain a blacklisted file extension, a security warning dialog is shown to the user. The following file extensions are checked and considered dangerous by Skype; .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.

Due to improper logic when performing these checks, it is possible to bypass the security warning and execute the program. First of all, checking is performed using a case sensitive comparison. The second flaw in this check is that the blacklist fails to mention all potential executable file formats. By using at least one upper case character, or using an executable file type that is not covered in the list, an attacker can bypass the security warning.

Upgrade now to the latest Skype for Windows.