Skype, the widely popular chat and calling service acquired by Microsoft in 2011, is likely a program you have installed on your computer. With a reported user base in the tens of millions, the ubiquity of the platform should not be understated. In fact, approximately 35% of small businesses are said to use Skype as their primary communication service. When such a massive platform has a security flaw exposed, the implications are far-reaching. Thus, when Benjamin Kunz-Mejri, a security researcher at Vulnerability Lab, reported his findings of a bug that allows potential attackers to exploit security vulnerabilities within the programming, there was cause for concern.
The vulnerability was discovered within a team conference call on Skype Web, and is said to affect Skype versions 7.2, 7.35, and 7.36 on Windows XP, Windows 7, and Windows 8. Essentially, the vulnerability allows attackers to crash the program by causing a stack overflow error. From there, the attackers could potentially execute further exploits. Mejri explains the nature of the vulnerability, stating that it lends itself to a lack of “secure limitations or restrictions” within the Skype’s clipboard function. Thus, the vulnerability can be exploited by the transmission of malicious files via the clipboard. Users looking for a more in-depth explanation can refer to Mejri’s detailed write-up here. Vulnerability Lab has also released a proof-of-concept video showing how to recreate the exploit.
Thankfully, the security firm reported the issue to Microsoft earlier last month, and the company has already issued a patch to fix the vulnerability. Vulnerability Lab has confirmed that “in Skype v7.37 the vulnerability is patched”. If you are one of the millions that use Skype, it is highly recommended that you update to protect yourself from this exploit. If you unsure of how to update your version of Skype, steps can be found here.