Skype Critical Bug Lets Hackers Remotely Execute Malicious Code

28Jun - by Pax_tan - 0 - In News

A critical vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could allow hackers to remotely execute malicious code and crash systems.

Patch Unblocks Windows 7 and 8.1 Updates It should be hard for Microsoft to make any more mistakes with its Windows 10 push, but it keeps finding new ways. After nagging everyone incessantly about upgrading, updating computers without asking, and making Windows 10 patches mandatory, Microsoft has started disallowing...

Skype is a free online service that allows users to communicate with peers by voice, video, and instant messaging over the Internet. The service was acquired by Microsoft Corporation in May 2011 for US$8.5 Billion due to its worldwide popularity.

Security researcher Benjamin Kunz-Mejri from Germany-based security firm Vulnerability Lab discovered the previously unknown stack buffer overflow vulnerability, which is documented in CVE-2017-9948, in Skype Web's messaging and call service during a team conference call.The vulnerability is considered a high-security risk with a 7.2 CVSS score and affects Skype versions 7.2, 7.35, and 7.36 on Windows XP, Windows 7 and Windows 8, Mejri said in a public security disclosure published on Monday.

"The issue can be exploited remotely via session or by local interaction. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. In Skype v7.37 the vulnerability is patched," the security firm wrote.

No User Interaction Needed

What's worst? The stack buffer overflow vulnerability doesn't require any user interaction, and only require a low privilege Skype user account.

So, an attacker can remotely crash the application "with an unexpected exception error, to overwrite the active process registers," or even execute malicious code on a target system running the vulnerable Skype version.

Credit Card with Built-In Fingerprint Scanner MasterCard has unveiled its brand new payment card that has a built-in biometric fingerprint scanner, allowing customers to authorize payments with their fingerprint, without requiring a PIN code or a signature.The company is already testing the new biometric payment cards, c...

The issue resides in the way Skype uses the 'MSFTEDIT.DLL' file in case of a copy request on local systems.

Here's How Attackers can Exploit this Flaw

According to the vulnerability report, attackers can craft a malicious image file and then copy and paste it from a clipboard of a computer system into a conversation window in the Skype application.
Once this image is hosted on a clipboard on both the remote and the local systems, Skype experiences a stack buffer overflow, causing errors and crashing the application, which left the door open for more exploits.
"The limitation of the transmitted size and count for images via print of the remote session clipboard has no secure limitations or restrictions. Attackers [can] crash the software with one request to overwrite the EIP register of the active software process," researchers from Vulnerability Lab says.

"Thus allows local or remote attackers to execute own codes on the affected and connected computer systems via the Skype software," they added.

Proof-of-Concept Code Released

The security firm has also provided proof-of-concept (PoC) exploit code that you can use to test the flaw.

Vulnerability Lab reported the flaw to Microsoft on 16th May, and Microsoft fixed the issue and rolled out a patch on 8 June in Skype version 7.37.178.

If you are Skype user, make sure that you run the latest version of the application on your system in order to protect themselves from cyber attacks based on this vulnerability.

Webroot flags Windows as Malware and Facebook as Phishing website Popular antivirus service Webroot mistakenly flagged core Windows system files as malicious and even started temporarily removing some of the legit files, trashing user computers around the world.The havoc caused after the company released a bad update on April 24, which was ...

Leave a Reply

Your email address will not be published. Required fields are marked *