Skype Update 5.5 With Critical Security Vulnerability - gHacks Tech News

Skype Update 5.5 With Critical Security Vulnerability

It does not happen often that software updates ship with critical security issues, or that those issues are detected shortly after an update gets released.

But that's exactly the case with the Skype 5.5 release for Windows. Skype 5.5 is the first version with Facebook integration. Skype users with a Facebook account can now use some of Facebook's functionality right in the voice over IP software. This includes posting comments and status updates, or seeing which Facebook friends are online on the social networking website.

Facebook Chat in return has seen Skype integration, allowing Facebook users now to video chat with online friends. Security researcher David Vieira-Kurz discovered several vulnerabilities in the new Skype version that could allow an attacker to take over the Skype session of a user. What makes this attack even more dangerous is the fact that the attacker does not have to be a Facebook user's friend or Skype contact to launch the attack.

The attack uses code that is entered into a wall or comment post. The Skype session information are then displayed on screen. The exploit is persistent in nature as logging off and on again on Facebook does not invalidate the Skype session. The vulnerability is caused by Skype's inadequate escaping of data that is posted on Facebook.

David has posted a proof of concept video that demonstrates the vulnerability

Windows users who are considering updating to Skype 5.5 for the Facebook integration and chat functionality should consider waiting until an update is released by Skype. No workaround is available at this point in time.

What can you do if you have already updated to Skype 5.5? You could block the Skype app on Facebook under Privacy Settings until a fix is available. Please note that I have not tested this.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. tom said on July 29, 2011 at 11:03 am
    Reply

    Martin, very interesting as usual. Just one question though – you mention waiting with the skype update until a fix is available. I am not aware of an option in this respect. My last two updates came through automatically without any option to deny, delay or stop them. I even went to the forum but it seems that the new versions consider automatic updates a security feature that is no longer optional. Obviously even without your new information I think that is bad policy if true. So if you know how to disable automatic updates in Skype, please share that info.

    Kind Regards
    Tom

    1. Martin Brinkmann said on July 29, 2011 at 11:07 am
      Reply

      Tom, I’m actually not using Skype anymore. Did not know that you cannot block updates from going out. The only option in this case is to block Skype on Facebook then.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.