Critical Vulnerability in Microsoft’s Skype Made Public, Patch Already Available

[CrAKeN]

 

Microsoft has already released a patch in the latest version of Skype

 

A new security vulnerability has been discovered in Microsoft’s software, this time in the Windows desktop version of instant messaging app Skype.

 

Vulnerability Lab security researcher Benjamin Kunz Mejri explains that the stack buffer overflow bug, which is documented in CVE-2017-9948, exists in Skype versions 7.2, 7.35, and 7.36.

 

The worst thing is that it does not require user interaction, and an attacker can crash the application or even execute malicious code on a target system running the vulnerable Skype version.

 

According to the vulnerability report, it’s all because of a security bug in the MSFTEDIT.DLL library, which can be exploited by an attacker by copying a malicious image file to clipboard and then pasting it in a conversation window in Skype. Once the photo is stored on both the remote and the local systems, Skype experiences a stack buffer overflow, crashing and then leaving the door open for more exploits.

 

Patch rolled out on June 8

“The successful attack scenario is not limited to manual exploitation only. Attackers can locally prepare the cache and clipboard of a computer system to exploit the connected remote party computer system using skype,” the security researcher explains in the vulnerability report.

 

“Exploitation of the buffer overflow software vulnerability requires no user interaction and only a low privilege skype user account. Successful exploitation of the buffer overflow vulnerability results in system and process compromise by an overwrite of the registers.”

 

Microsoft has already patched the bug in Skype version 7.37.178 and users are recommended to install this version as soon as possible to make sure that they’re not targeted by attacks based on this vulnerability. The patch was rolled out on June 8.

 

At this point, there are no reports of successful attacks involving this vulnerability given that the flaw was privately reported, but following the public disclosure on June 26, it’s critical for Skype users to update the software as soon as possible. Only the Windows version is affected.

 

 

Source

[funkyy]

The official site still shows version Skype 7.37.32.103....I tried to use the "check for updates" on Skype but it says "you already have the latest version", but I have 7.36.0.150 installed...so it appears MS is a bit slow to issue the protection....¡¡¡que sorpresa!!!

[SPECTRUM]

5 hours ago, funkyy said:

The official site still shows version Skype 7.37.32.103....I tried to us the "check for updates" on Skype but it says "you already have the latest version", but I have 7.36.0.150 installed...so it appears MS is a bit slow to issue the protection....¡¡¡que sorpresa!!!

 

Skype 7.37.xx.103 is not vulnerable, only versions 7.36 and olders are vulnerable.

 

you can download Skype 7.37.0.103 from here: http://www.skype.com/go/getskype-full

[funkyy]

23 hours ago, SPECTRUM said:

 

Skype 7.37.xx.103 is not vulnerable, only versions 7.36 and olders are vulnerable.

 

you can download Skype 7.37.0.103 from here: http://www.skype.com/go/getskype-full

Sorry, but that link downloads version 7.36.0.150

[SPECTRUM]

10 minutes ago, funkyy said:

Sorry, but that link downloads version 7.36.0.150

 

no, it currently downloads version 7.38.0.101.

[funkyy]

I just clicked on the link again, downloaded the file, clicked properties, version and it shows 7.36.0.150???????????????? But I've downloaded version 7.38.0.101 from another site. Thanks anyway