Skype Update 5.5 With Critical Security Vulnerability

It does not happen often that software updates ship with critical security issues, or that those issues are detected shortly after an update gets released.

But that's exactly the case with the Skype 5.5 release for Windows. Skype 5.5 is the first version with Facebook integration. Skype users with a Facebook account can now use some of Facebook's functionality right in the voice over IP software. This includes posting comments and status updates, or seeing which Facebook friends are online on the social networking website.

Facebook Chat in return has seen Skype integration, allowing Facebook users now to video chat with online friends. Security researcher David Vieira-Kurz discovered several vulnerabilities in the new Skype version that could allow an attacker to take over the Skype session of a user. What makes this attack even more dangerous is the fact that the attacker does not have to be a Facebook user's friend or Skype contact to launch the attack.

The attack uses code that is entered into a wall or comment post. The Skype session information are then displayed on screen. The exploit is persistent in nature as logging off and on again on Facebook does not invalidate the Skype session. The vulnerability is caused by Skype's inadequate escaping of data that is posted on Facebook.

David has posted a proof of concept video that demonstrates the vulnerability

Windows users who are considering updating to Skype 5.5 for the Facebook integration and chat functionality should consider waiting until an update is released by Skype. No workaround is available at this point in time.

What can you do if you have already updated to Skype 5.5? You could block the Skype app on Facebook under Privacy Settings until a fix is available. Please note that I have not tested this.

Advertisement