[GTER] Fw: [SA13191] Skype "callto:" URI Handler Buffer Overflow Vulnerability

Denny Roger denny at batori.com.br
Mon Nov 15 15:51:53 -02 2004 

----- Original Message ----- 
From: "Secunia Security Advisories" <sec-adv at secunia.com>
To: <denny at batori.com.br>
Sent: Monday, November 15, 2004 3:28 PM
Subject: [SA13191] Skype "callto:" URI Handler Buffer Overflow Vulnerability


>
> TITLE:
> Skype "callto:" URI Handler Buffer Overflow Vulnerability
>
> SECUNIA ADVISORY ID:
> SA13191
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/13191/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Skype for Windows 1.x
> http://secunia.com/product/4250/
>
> DESCRIPTION:
> A vulnerability has been reported in Skype, which can be exploited by
> malicious people to compromise a user's system.
>
> The vulnerability is caused due to a boundary error within the
> handling of command line arguments. This can be exploited to cause a
> stack-based buffer overflow by e.g. tricking a user into visiting a
> malicious web site, which passes an overly long string (more than
> 4096 bytes) to the "callto:" URI handler.
>
> Successful exploitation may allow execution of arbitrary code.
>
> The vulnerability affects versions 1.0.*.95 through 1.0.*.98.
>
> SOLUTION:
> Update to version 1.0.0.100.
> http://www.skype.com/products/skype/windows/
>
> PROVIDED AND/OR DISCOVERED BY:
> Reported by vendor.
>
> ----------------------------------------------------------------------
>
> About:
> This Advisory was delivered by Secunia as a free service to help
> everybody keeping their systems up to date against the latest
> vulnerabilities.
>
> Subscribe:
> http://secunia.com/secunia_security_advisories/
>
> Definitions: (Criticality, Where etc.)
> http://secunia.com/about_secunia_advisories/
>
>
> Please Note:
> Secunia recommends that you verify all advisories you receive by
> clicking the link.
> Secunia NEVER sends attached files with advisories.
> Secunia does not advise people to install third party patches, only
> use those supplied by the vendor.
>
> ----------------------------------------------------------------------
>
> Unsubscribe: Secunia Security Advisories
> http://secunia.com/sec_adv_unsubscribe/?email=denny%40batori.com.br
>
> ----------------------------------------------------------------------
>
>

More information about the gter mailing list