Security researchers have discovered a flaw in Skype that could enable hackers to run code on a target system, phish for credentials and crash applications. Kyle Wilhoit, Senior Security Researcher at DomainTools commented below.
Kyle Wilhoit, Senior Security Researcher at DomainTools:
“This vulnerability is primarily an issue for Skype versions running on Windows. While other operating systems may be affected, any publicly accessible (Library, hotel business center, etc.) Windows machines running Skype version 7.31.0.104 and older are vulnerable. The vulnerability targets local access to the Skype login page and must allow for Facebook login, therefore somewhat reducing the attack surface. Taking into account attack surface, my opinion is, any vulnerability that can result in code execution should be considered critical and dealt with accordingly.
On the local machine, the nastiest option available to attackers is code execution (leveraging the legitimate the Skype service). This would allow an attacker to escalate local privileges, embed backdoors, and possibly move laterally in the network.
In order to mitigate such attacks, you should make sure your applications are up to date. Make sure Skype is fully patched to help mitigate this threat. (A patch has been released for this vulnerability).”
