CrAKeN Posted June 27, 2017 Share Posted June 27, 2017 Microsoft has already released a patch in the latest version of Skype A new security vulnerability has been discovered in Microsoft’s software, this time in the Windows desktop version of instant messaging app Skype. Vulnerability Lab security researcher Benjamin Kunz Mejri explains that the stack buffer overflow bug, which is documented in CVE-2017-9948, exists in Skype versions 7.2, 7.35, and 7.36. The worst thing is that it does not require user interaction, and an attacker can crash the application or even execute malicious code on a target system running the vulnerable Skype version. According to the vulnerability report, it’s all because of a security bug in the MSFTEDIT.DLL library, which can be exploited by an attacker by copying a malicious image file to clipboard and then pasting it in a conversation window in Skype. Once the photo is stored on both the remote and the local systems, Skype experiences a stack buffer overflow, crashing and then leaving the door open for more exploits. Patch rolled out on June 8 “The successful attack scenario is not limited to manual exploitation only. Attackers can locally prepare the cache and clipboard of a computer system to exploit the connected remote party computer system using skype,” the security researcher explains in the vulnerability report. “Exploitation of the buffer overflow software vulnerability requires no user interaction and only a low privilege skype user account. Successful exploitation of the buffer overflow vulnerability results in system and process compromise by an overwrite of the registers.” Microsoft has already patched the bug in Skype version 7.37.178 and users are recommended to install this version as soon as possible to make sure that they’re not targeted by attacks based on this vulnerability. The patch was rolled out on June 8. At this point, there are no reports of successful attacks involving this vulnerability given that the flaw was privately reported, but following the public disclosure on June 26, it’s critical for Skype users to update the software as soon as possible. Only the Windows version is affected. Source Link to comment Share on other sites More sharing options...
funkyy Posted June 27, 2017 Share Posted June 27, 2017 The official site still shows version Skype 7.37.32.103....I tried to use the "check for updates" on Skype but it says "you already have the latest version", but I have 7.36.0.150 installed...so it appears MS is a bit slow to issue the protection....¡¡¡que sorpresa!!! Link to comment Share on other sites More sharing options...
SPECTRUM Posted June 28, 2017 Share Posted June 28, 2017 5 hours ago, funkyy said: The official site still shows version Skype 7.37.32.103....I tried to us the "check for updates" on Skype but it says "you already have the latest version", but I have 7.36.0.150 installed...so it appears MS is a bit slow to issue the protection....¡¡¡que sorpresa!!! Skype 7.37.xx.103 is not vulnerable, only versions 7.36 and olders are vulnerable. you can download Skype 7.37.0.103 from here: http://www.skype.com/go/getskype-full Link to comment Share on other sites More sharing options...
funkyy Posted June 29, 2017 Share Posted June 29, 2017 23 hours ago, SPECTRUM said: Skype 7.37.xx.103 is not vulnerable, only versions 7.36 and olders are vulnerable. you can download Skype 7.37.0.103 from here: http://www.skype.com/go/getskype-full Sorry, but that link downloads version 7.36.0.150 Link to comment Share on other sites More sharing options...
SPECTRUM Posted June 29, 2017 Share Posted June 29, 2017 10 minutes ago, funkyy said: Sorry, but that link downloads version 7.36.0.150 no, it currently downloads version 7.38.0.101. Link to comment Share on other sites More sharing options...
funkyy Posted June 29, 2017 Share Posted June 29, 2017 I just clicked on the link again, downloaded the file, clicked properties, version and it shows 7.36.0.150???????????????? But I've downloaded version 7.38.0.101 from another site. Thanks anyway Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.