15th July 2011
This blogger doesn’t have a biography yet. Maybe they’re very old, or maybe they’re very new.
  Adrian Asher

Explaining the Cross Site Scripting Bug in Skype for Windows [RESOLVED]

Updated July 20, 2011 - This issue is now resolved.

Currently, there is a Cross Site Scripting (XSS) bug present in the Skype Home area of the Skype for Windows client. Cross Site Scripting (XSS) is a problem where someone is able to put malicious content onto a web page that other people will view later. If this content is not filtered correctly when someone visits that web page and views the malicious content, it could result in them being redirected somewhere else, having pop-ups appear on their screen, or, worse yet, redirecting them to a web site that contains a virus or trojan.

Unfortunately, Skype for Windows is not correctly validating some fields of your contacts' profiles. What this means is if one of your Skype contacts has put some specific strings into their profile, it could result in your Skype Home area being redirected to another web page or a message being displayed.

In order for someone to cause these messages to be popped up or to redirect you to a web site, they would first have to be one of your accepted Skype contacts. However, this vulnerability should not be there and there is a fix which we are finalising testing of that is due to be pushed out early next week.

When the fix is deployed, it will not require you to update your Skype client, as the change will happen without you needing to perform any updates. Of course, as always, I urge everyone to be on the latest version of Skype, as we are continually updating and improving not only the security, but also the features within our products.

Posted to: Security
Leave a comment Tweet this
9th May 2011
This blogger doesn’t have a biography yet. Maybe they’re very old, or maybe they’re very new.
  Adrian Asher

Today's Skype for Mac update

Earlier today, we published another update for Skype for Mac users. This latest version (5.1.0.935) includes all of the security fixes from our April 14th release (5.1.0.922), as well as some additional product fixes. Now that this update has finished propagating to our download servers, you should be able to click "Skype -> Check for Updates" within the Skype for Mac application to automatically get this update. Shortly, we will also begin prompting users with a message to update the software.

My approach on releases is to always wait for the majority of our users to update before detailing / discussing any of the specific issues that have been fixed. This minimizes the amount of time that would-be attackers have to try and exploit those of our users that haven't upgraded yet. Naturally, having millions of customers using our software (30 million concurrent users at peak times) does result in a somewhat slow upgrade cycle. However, we typically see that large percentages of the user base have upgraded within a few weeks after a new version has been released. Once we have seen a large proportion of our Skype for Mac user base have upgraded to this new version, we will provide further details on the vulnerability in the Skype for Mac client that was raised by Pure Hacking.

Pure Hacking has also now confirmed that the issue they reported to us on April 7th, for which we were already working on a fix, was addressed in our April 14th release.

As always, we continue to urge Skype users to ensure that their systems or devices are patched and running up-to-date software. This advice extends to both the operating system and other programs that they may have installed.

Posted to: Security
Leave a comment Tweet this
6th May 2011
This blogger doesn’t have a biography yet. Maybe they’re very old, or maybe they’re very new.
  Adrian Asher

Security Vulnerability in Mac Client Has Been Addressed

Last month, we were contacted by Pure Hacking, a group of ethical hackers in Australia, who reported what they believed to be a zero-day vulnerability in Skype for Mac 5.x. This vulnerability, which they blogged about earlier today, is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype's default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact.

At the time they alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability, as we take our users' security very seriously. We subsequently released a hotfix for this problem in a minor update (Skype for Mac version 5.1.0.922) on April 14th. As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week.

This new update will include some additional updates and bug fixes. When it is released, we will notify all Skype for Mac users of the need to update their software (the client will prompt the user to update). In the meantime, we recommend you update your software with the fix made available on April 14th, just click on Skype -> Check for Updates or you can download the software here.

Please note, Skype's other clients, e.g. Windows and Linux, are not susceptible to this vulnerability.

Posted to: Security
Leave a comment Tweet this