October 2005
Skype - Two Security Bulletins
ID: 00949
Ref: 888/05
Date: 26 October 2005:10:08:14
Version: 1
Title: Skype - Two Security Bulletins
Abstract: 1. Buffer overflow in Skype-specific URI and VCARD import handling [SKYPE-SB/2005-002] , 2. Heap overflow in networking routine [SKYPE-SB/2005-003]
Vendors affected: Skype
Operating systems affected: Skype
Applications affected: Skype
Title
=====
Skype - Two Security Bulletins:
1. Buffer overflow in Skype-specific URI and VCARD import handling [SKYPE-SB/2005-002]
2. Heap overflow in networking routine [SKYPE-SB/2005-003]
Detail
======
Security bulletin summaries:
1. Skype can be made to execute arbitrary code through a buffer
overflow when Skype is called upon to handle malformed URLs that
are in Skype-specific URI types callto:// and skype://. In
addition, Skype can be made to execute arbitrary code during
importation of a VCARD that is in a specific non-standard format.
2. An attacker who sends a stream of specifically-crafted network
traffic to a Skype client network can cause the client to overwrite
part of the heap, including the heap integrity control data. Since
the attacker cannot control the address where the data is written,
the most likely effect will be that the Skype will abort execution
due to an internal error, although other unpredictable behaviour is
possible.
Security bulletin content follows:
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
SKYPE SECURITY BULLETIN SKY-CERT
Bulletin title: Buffer overflow in Skype-specific URI and
VCARD import handling
Bulletin ID: SKYPE-SB/2005-002
Bulletin status: FINAL
Date of announcement: 2005-10-25 13:00:00 +0000
Date of last revision: None
Products affected: Skype for Windows
Vulnerability type: Buffer overflow
CVE references: CVE-2005-3265
Risk assessment: HIGH
CVSS base score: 10.0
(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)
Cross-references: http://qc.borland.com/wc/qcmain.aspx?d=4744
SKYPE-SB/2004-001 (formerly SSA-2004-01)
Table of contents:
1. Problem description and brief discussion
2. Impact and affected software
3. Solution or work-around
4. Special instructions and notes
5. Software download location
6. Authenticity verification
7. Common Vulnerability Scoring System (CVSS) assessment
8. Credits and additional information
9. Bulletin release history
10. Notices
________________________________________________________________________
1. Problem description and brief discussion
Description
-----------
A security bug in the Skype for Windows user client has been
identified and fixed.
Skype can be made to execute arbitrary code through a buffer
overflow when Skype is called upon to handle malformed URLs that
are in Skype-specific URI types callto:// and skype://.
In addition, Skype can be made to execute arbitrary code during
importation of a VCARD that is in a specific non-standard format.
Discussion
----------
This bug is a subsidiary effect of documented Borland Delphi
bug 4744 (http://qc.borland.com/wc/qcmain.aspx?d=4744).
Skype has replaced instances of the offending routine with one
that performs proper bounds-checking.
Note that this bug is similar to the issue previously reported in
SKYPE-SB/2004-001 (formerly numbered as SSA-2004-01), but was not
caused by a reintroduction of the previously fixed source code.
This is tracked by Mitre CVE ID CVE-2005-3265.
________________________________________________________________________
2. Impact and affected software
Impact
------
A user could cause arbitrary code to be executed if a specially-
crafted Skype-specific URL is clicked or if a specially-crafted
VCARD is imported.
Affected software
-----------------
The following Skype clients are vulnerable to this attack:
Skype for Windows:
Releases 1.1.*.0 through 1.4.*.83
________________________________________________________________________
3. Solution or work-around
An official fix to the issue covered by this Security Bulletin has
been released. To implement this fix, update to one of the
following releases of Skype. (Downloading instructions are shown
in Section 4 of this Bulletin.)
Skype for Windows:
Release 1.4.*.84 or later
As a work-around prior to updating the Skype software, this bug may
be avoided by not selecting Skype-specific URIs and not importing
VCARD records.
________________________________________________________________________
4. Special instructions and notes
None.
________________________________________________________________________
5. Software download location
The preferred method for installing security updates is to download
the software directly from Skype's website, from the website of
Skype's authorized partners, or from a reliable mirror site. Skype
may also be safely downloaded from other locations, but in this
case it is particularly important that you verify the authenticity
of the download.
We recommend that once you download any Skype software that you
verify its integrity by the methods listed in Section 6 of this
Bulletin.
You may install Skype by running the Skype installer using the
installation commands displayed under the appropriate operating
system listed at http://www.skype.com/download/.
x86 platform, Microsoft Windows 2000 or Microsoft Windows XP:
http://www.skype.com/products/skype/windows/
x86 platform, Linux:
http://www.skype.com/products/skype/linux/
PPC platform, Mac OS X v10.3 (Panther) or later:
http://www.skype.com/products/skype/macosx/
Pocket PC platform, Microsoft Windows Mobile 2003:
http://www.skype.com/products/skype/pocketpc/
________________________________________________________________________
6. Authenticity verification
- Bulletin authenticity verification:
Skype security bulletins are published on Skype's web site and
via mailing lists. The authenticity and integrity of a Skype
security bulletins may be determined by inspecting the crypto-
graphic signature that is attached to each bulletin. All Skype
security bulletins are published with a valid digital signature
produced by PGP.
- Software authenticity verification:
Both the Skype installer program and the Skype program that is
installed by the installer are digitally signed.
For Skype software built for Microsoft Windows operating
environments, the digital certificate used by Skype to sign
software packages is signed by "VeriSign Class 3 Code Signing 2004
CA".
For Skype software built for Linux platforms, all packages are
signed by PGP key ID 0xD66B746E, the public component of which may
be downloaded from http://www.skype.com/products/skype/linux/.
- For general information about Skype security, please visit the
Skype Security Resource Center at http://www.skype.com/security/.
________________________________________________________________________
7. Common Vulnerability Assessment System (CVSS) assessment
Skype has rated the issue covered by this Security Bulletin under
the CVSS scheme as follows:
Base metrics:
Access Vector (AV) ........... Remote
Access Complexity (AC) ....... Low
Authentication (Au) .....,.... Not Required
Confidentiality Impact (C) ... Complete
Integrity Impact (I) ......... Complete
Availability Impact (A) ...... Complete
Impact Bias (B) .............. Normal
Computed CVSS base score: 10.0
Temporal metrics as of 2005-10-25
Exploitability (E) ........... Functional
Remediation Level (RL) ....... Official Fix
Report Confidence (RC) ....... Confirmed
Computed CVSS temporal score: 8.3
Skype participates in the CVSS by rating each identifiable security
vulnerability against the CVSS base metrics. In addition, Skype
may rate each vulnerability against temporal metrics from time to
time. As suggested by the name, temporal metrics for a particular
vulnerability may change from time to time.
More information about the CVSS may be obtained from the CVSS host
website at http://www.first.org/cvss/.
________________________________________________________________________
8. Credits and additional information
This bug was referred to SKY-CERT by an external referrer, Mark Rowe
of Pentest Limited. We would like to credit and thank Mark for
having referred this issue to Skype.
________________________________________________________________________
9. Bulletin release history
2005-10-25 Initial bulletin release
________________________________________________________________________
10. Notices
Copyright 2005 Skype Technologies, S.A. All rights reserved.
This Skype Security Bulletin may be reproduced and distributed,
provided that the Bulletin is not modified in any way and is
attributed to Skype Technologies, S.A. and provided that repro-
duction and distribution is performed for non-commercial purposes.
This Skype Security Bulltin is provided to you on an "AS IS" basis
and may contain information provided by third parties. Skype makes
no guarantees or warranties as to the information contained herein.
ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT
LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.
========================================================================
To report a security issue to Skype, please send an e-mail that
describes the problem or vulnerability to . Please
consider securing any reports that disclose security vulnerabilities by
encrypting them using the PGP key of the Skype Computer Emergency
Response Team (SKY-CERT), PGP key ID 0x019DBB43.
========================================================================
- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2424)
iQA/AwUBQ10hguQJFIMBnbtDEQLdyACggNk92F200zqf2gktF+OIzedjAM0Anjt6
Aadehodx9QdtZy57TwB7ZEiY
=R3fX
- -----END PGP SIGNATURE-----
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
SKYPE SECURITY BULLETIN SKY-CERT
Bulletin title: Heap overflow in networking routine
Bulletin ID: SKYPE-SB/2005-003
Bulletin status: INTERIM
Date of announcement: 2005-10-25 08:00:00 +0000
Date of last revision: 2005-10-25 08:37:00 +0000
Products affected: Skype client (all platforms)
Vulnerability type: Heap overflow
CVE references: CVE-2005-3267
Risk assessment: HIGH
CVSS base score: 8.0
(AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:A)
Cross-references: None
Table of contents:
1. Problem description and brief discussion
2. Impact and affected software
3. Solution or work-around
4. Special instructions and notes
5. Software download location
6. Authenticity verification
7. Common Vulnerability Scoring System (CVSS) assessment
8. Credits and additional information
9. Bulletin release history
10. Notices
________________________________________________________________________
1. Problem description and brief discussion
Description
-----------
A security bug in the Skype user client, for all platforms, has
been identified and fixed.
Skype can be remotely forced to crash due to an error in bounds
checking in a specific networking routine.
Discussion
----------
An attacker who sends a stream of specifically-crafted network
traffic to a Skype client network can cause the client to overwrite
part of the heap, including the heap integrity control data. Since
the attacker cannot control the address where the data is written,
the most likely effect will be that the Skype will abort execution
due to an internal error, although other unpredictable behavior is
possible.
Such a crash will lead to a loss of availability of the Skype
application until it is restarted by the user. Skype has been able
to induce Skype clients to crash, but has not been able to cause the
client to execute specific instructions.
This is tracked by Mitre CVE ID CVE-2005-3267.
________________________________________________________________________
2. Impact and affected software
Impact
------
An attacked Skype client may crash.
Affected Software
-----------------
The following Skype clients are vulnerable to this attack:
Skype for Windows:
All releases prior to and including 1.4.*.83
Skype for Mac OS X:
All releases prior to and including 1.3.*.16
Skype for Linux:
All releases prior to and including 1.2.*.17
Skype for Pocket PC:
All releases prior to and including 1.1.*.6
________________________________________________________________________
3. Solution or work-around
An official fix to the issue covered by this Security Bulletin has
been released. To implement this fix, update to one of the
following releases of Skype. (Downloading instructions are shown
in Section 4 of this Bulletin.)
Skype for Windows:
Release 1.4.*.84 or later
Skype for Mac OS X:
Release 1.3.*.17 or later
Skype for Linux:
Release 1.2.*.18 or later
Skype for Pocket PC:
No patch is yet available. This bulletin will be updated when it
has been made available.
________________________________________________________________________
4. Special instructions and notes
None.
________________________________________________________________________
5. Software download location
The preferred method for installing security updates is to download
the software directly from Skype's website, from the website of
Skype's authorized partners, or from a reliable mirror site. Skype
may also be safely downloaded from other locations, but in this
case it is particularly important that you verify the authenticity
of the download.
We recommend that once you download any Skype software that you
verify its integrity by the methods listed in Section 6 of this
Bulletin.
x86 platform, Microsoft Windows 2000 or Microsoft Windows XP:
http://www.skype.com/products/skype/windows/
x86 platform, Linux:
http://www.skype.com/products/skype/linux/
PPC platform, Mac OS X v10.3 (Panther) or later:
http://www.skype.com/products/skype/macosx/
Pocket PC platform, Microsoft Windows Mobile 2003:
http://www.skype.com/products/skype/pocketpc/
________________________________________________________________________
6. Authenticity verification
- Bulletin authenticity verification:
Skype security bulletins are published on Skype's web site and
via mailing lists. The authenticity and integrity of a Skype
security bulletins may be determined by inspecting the crypto-
graphic signature that is attached to each bulletin. All Skype
security bulletins are published with a valid digital signature
produced by PGP.
- Software authenticity verification:
Both the Skype installer program and the Skype program that is
installed by the installer are digitally signed.
For Skype software built for Microsoft Windows operating
environments, the digital certificate used by Skype to sign
software packages is signed by "VeriSign Class 3 Code Signing 2004
CA".
For Skype software built for Linux platforms, all packages are
signed by PGP key ID 0xD66B746E, the public component of which may
be downloaded from http://www.skype.com/products/skype/linux/.
- For general information about Skype security, please visit the
Skype Security Resource Center at http://www.skype.com/security/.
________________________________________________________________________
7. Common Vulnerability Assessment System (CVSS) assessment
Skype has rated the issue covered by this Security Bulletin under
the CVSS scheme as follows:
Base metrics:
Access Vector (AV) ........... Remote
Access Complexity (AC) ....... High
Authentication (Au) .....,.... Not Required
Confidentiality Impact (C) ... Complete
Integrity Impact (I) ......... Complete
Availability Impact (A) ...... Complete
Impact Bias (B) .............. Availability
Computed CVSS base score: 8.0
Temporal metrics as of 2005-10-25
Exploitability (E) ........... Proof of Concept
Remediation Level (RL) ....... Official Fix (for Skype for Windows)
Remediation Level (RL) ....... Official Fix (for Skype for Mac OS X)
Remediation Level (RL) ....... Unavailable (for other platforms)
Report Confidence (RC) ....... Confirmed
Computed CVSS temporal score: 6.3
Skype participates in the CVSS by rating each identifiable security
vulnerability against the CVSS base metrics. In addition, Skype
may rate each vulnerability against temporal metrics from time to
time. As suggested by the name, temporal metrics for a particular
vulnerability may change from time to time.
More information about the CVSS may be obtained from the CVSS host
website at http://www.first.org/cvss/.
________________________________________________________________________
8. Credits and additional information
This bug was simultaneously referred to SKY-CERT by two independent
sources, one internal to Skype and one external. We would like to
thank and acknowledge the external referrer, the EADS Corporate
Research Center security lab, for having referred this issue to
Skype.
________________________________________________________________________
9. Bulletin release history
2005-10-25 Initial bulletin release
2005-10-25 Corrected credit information at the request of Imad
Lahoud of the EADS Corporate Research Center
________________________________________________________________________
10. Notices
Copyright 2005 Skype Technologies, S.A. All rights reserved.
This Skype Security Bulletin may be reproduced and distributed,
provided that the Bulletin is not modified in any way and is
attributed to Skype Technologies, S.A. and provided that repro-
duction and distribution is performed for non-commercial purposes.
This Skype Security Bulltin is provided to you on an "AS IS" basis
and may contain information provided by third parties. Skype makes
no guarantees or warranties as to the information contained herein.
ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT
LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.
========================================================================
To report a security issue to Skype, please send an e-mail that
describes the problem or vulnerability to . Please
consider securing any reports that disclose security vulnerabilities by
encrypting them using the PGP key of the Skype Computer Emergency
Response Team (SKY-CERT), PGP key ID 0x019DBB43.
========================================================================
- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2424)
iQA/AwUBQ13u0eQJFIMBnbtDEQLxrwCg7QUhaeWBZFC+FyDN2cZFPZ+MyV4AmwUF
ODXvR829pFfwh2579NQLgEnp
=5/OD
- -----END PGP SIGNATURE-----