SKYPE-SB/2004-001: Range check error in in callto: URI handling

Bulletin title:	Range check error in in callto: URI handling
Bulletin ID:	SKYPE-SB/2004-001
Bulletin status:	FINAL
Date of announcement:	2004-06-15 00:00:00 +0000
Date of last revision:	2005-10-24 10:22:16 +0000
Products affected:	Skype for Windows
Vulnerability type:	Exception condition handling error
CVE references:	CVE-2004-1777
Risk assessment:	LOW
CVSS base score:	3.3 (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:N)
Cross-references:	SSA-2004-01 (replaced with this bulletin)

1. Problem description and brief discussion

Description

A security bug in the Skype for Windows user client has been identified and fixed.

A range check error exists in the way Skype parses command-line arguments.

Discussion

If Skype is executed with a command line longer than approximately 255 characters, Skype would report an Access Violation and terminate.

The vulnerability can not be used for malicious code execution.

This bug was originally announced in Skype Security Announcement number SSA-2004-01. This bulletin is identical to and replaces SSA-2004-01, but changes the format of the notice.

This is tracked by Mitre CVE ID CVE-2004-1777.

2. Impact and affected software

Impact

By inducing a user to click on a specially crafted callto: URL on a web page or in an HTML e-mail message, an attacker could cause Skype to crash.

Affected software

The following Skype clients are vulnerable to this attack:

Skype for Windows: All releases prior to and including 0.98.*.27

3. Solution or work-around

An official fix to the issue covered by this Security Bulletin has been released. To implement this fix, update to one of the following releases of Skype. (Downloading instructions are shown in Section 4 of this Bulletin.)

Skype for Windows: Release 0.98.*.28 or later

4. Special instructions and notes

None.

5. Software download location

The preferred method for installing security updates is to download the software directly from Skype's website, from the website of Skype's authorized partners, or from a reliable mirror site. Skype may also be safely downloaded from other locations, but in this case it is particularly important that you verify the authenticity of the download.

We recommend that once you download any Skype software that you verify its integrity by the methods listed in Section 6 of this Bulletin.

You may install Skype by running the Skype installer using the installation commands displayed under the appropriate operating system listed at http://www.skype.com/go/download/.

x86 platform, Microsoft Windows 2000 or Microsoft Windows XP: http://www.skype.com/features/skype/windows/

x86 platform, Linux: http://www.skype.com/features/skype/linux/

PPC platform, Mac OS X v10.3 (Panther) or later: http://www.skype.com/features/skype/macosx/

Pocket PC platform, Microsoft Windows Mobile 2003: http://www.skype.com/features/skype/pocketpc/

6. Authenticity verification

- Bulletin authenticity verification:

Skype security bulletins are published on Skype's web site and via mailing lists. The authenticity and integrity of a Skype security bulletins may be determined by inspecting the crypto- graphic signature that is attached to each bulletin. All Skype security bulletins are published with a valid digital signature produced by PGP.

- Software authenticity verification:

Both the Skype installer program and the Skype program that is installed by the installer are digitally signed.

For Skype software built for Microsoft Windows operating environments, the digital certificate used by Skype to sign software packages is signed by "VeriSign Class 3 Code Signing 2004 CA".

For Skype software built for Linux platforms, all packages are signed by PGP key ID 0xD66B746E, the public component of which may be downloaded from http://www.skype.com/features/skype/linux/.

- For general information about Skype security, please visit the Skype Security Resource Center at http://www.skype.com/security/.

7. Common Vulnerability Assessment System (CVSS) assessment

Skype has rated the issue covered by this Security Bulletin under the CVSS scheme as follows:

Base metrics:

Access Vector (AV) ........... Remote
Access Complexity (AC) ....... Low
Authentication (Au) .....,.... Not Required
Confidentiality Impact (C) ... None
Integrity Impact (I) ......... None
Availability Impact (A) ...... Complete
Impact Bias (B) .............. Normal

Computed CVSS base score: 3.3

Temporal metrics as of 2005-10-24

Exploitability (E) ........... High
Remediation Level (RL) ....... Official Fix
Report Confidence (RC) ....... Confirmed

Computed CVSS temporal score: 2.9

Skype participates in the CVSS by rating each identifiable security vulnerability against the CVSS base metrics. In addition, Skype may rate each vulnerability against temporal metrics from time to time. As suggested by the name, temporal metrics for a particular vulnerability may change from time to time.

More information about the CVSS may be obtained from the CVSS host website at http://www.first.org/cvss/.

8. Credits and additional information

Skype would like to credit and thank Hillel Himovich for referring this bug to us for resolution.

9. Bulletin release history

2004-06-15 Initial bulletin release 2005-10-24 Updated to change the bulletin numbering and format, as well as to add CVSS scoring

10. Notices

This Skype Security Bulletin may be reproduced and distributed, provided that the Bulletin is not modified in any way and is attributed to Skype Technologies, S.A. and provided that repro- duction and distribution is performed for non-commercial purposes.

This Skype Security Bulltin is provided to you on an "AS IS" basis and may contain information provided by third parties. Skype makes no guarantees or warranties as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.