SKYPE-SB/2007-001: Improper handling of URI arguments
| Bulletin title: | Improper handling of URI arguments |
| Bulletin ID: | SKYPE-SB/2007-001 |
| Bulletin status: | FINAL |
| Date of announcement: | 2007-12-12 11:00:00 +0000 |
| Products affected: | Skype for Windows |
| Vulnerability type: | Argument handling |
| CVE references: | CVE-2007-3896 |
| Risk assessment: | HIGH |
| CVSS base score: | 9.5 (AV:N/AC:M/Au:N/C:P/I:P/A:N) |
| Cross-references: | None |
Table of contents:
- Problem description and brief discussion
- Impact and affected software
- Solution or work-around
- Special instructions and notes
- Software download location
- Authenticity verification
- Common Vulnerability Scoring System (CVSS) assessment
- Credits and additional information
- Bulletin release history
- Notices
1. Problem description and brief discussion
Description
In some circumstances, a Skype URI can be crafted that, if followed, an executable accessible with the current Windows user rights is launched.
Discussion
An attacker who constructs a Skype URI that is malformed in a
specific way can execute programs which are accessible for current
Windows user.
For the vulnerability to be triggered, the target must click on a
link in the chat, mood message or visit maliciously crafted web page.
The URL handling in Shell32.dll in the Windows shell in Microsoft Windows XP and Server 2003, with Internet Explorer 7 installed, allows remote attackers to execute arbitrary programs via invalid "%" sequences in a mailto: or other URI handler, as demonstrated using mIRC, Outlook, Firefox, Adobe Reader, Skype, and other applications.
This is tracked by Mitre CVE ID CVE-2007-3896.
2. Impact and affected software
Impact
A user of Skype for Windows who clicks on maliciously crafted URL in Skype chat or moodmessage may execute arbitrary code without consent.
Affected software
The following Skype clients are vulnerable to this attack:
Skype for Windows: All releases prior to and including 3.5.*.236
3. Solution or work-around
An official fix to the issue covered by this Security Bulletin has been released. To implement this fix, update to one of the following releases of Skype. (Downloading instructions are shown in Section 5 of this Bulletin.)
Skype for Windows: Skype 3.5, release 3.5.*.239 or later
Microsoft has released update MS07-061 to fix this issue.
4. Special instructions and notes
Note that updating Skype will fix only Skype registered URI handling vulnerabilities. Therefore it is highly recommended to upgrate Windows to address the vulnerability generally.
5. Software download location
The preferred method for installing security updates is to download the software directly from Skype's website, from the website of Skype's authorized partners, or from a reliable mirror site. Skype may also be safely downloaded from other locations, but in this case it is particularly important that you verify the authenticity of the download.
We recommend that once you download any Skype software that you verify its integrity by the methods listed in Section 6 of this Bulletin.
x86 platform, Microsoft Windows 2000 or Microsoft Windows XP: http://www.skype.com/download/skype/windows/
x86 platform, Linux: http://www.skype.com/download/skype/linux/
PPC platform, Mac OS X v10.3 (Panther) or later: http://www.skype.com/download/skype/macosx/
Pocket PC platform, Microsoft Windows Mobile 2003: http://www.skype.com/download/skype/pocketpc/
6. Authenticity verification
- Bulletin authenticity verification:
Skype security bulletins are published on Skype's web site and via mailing lists. The authenticity and integrity of a Skype security bulletins may be determined by inspecting the crypto- graphic signature that is attached to each bulletin. All Skype security bulletins are published with a valid digital signature produced by PGP.
- Software authenticity verification:
- Software authenticity verification:
Both the Skype installer program and the Skype program that is installed by the installer are digitally signed.
For Skype software built for Microsoft Windows and Mac OSX operating environments, the digital certificate used by Skype to sign software packages is signed by "VeriSign Class 3 Code Signing 2004 CA".
For Skype software built for Linux platforms, all packages are signed by PGP key ID 0xD66B746E, the public component of which may be downloaded from http://www.skype.com/download/skype/linux/.
- For general information about Skype security, please visit the Skype Security Resource Center at http://www.skype.com/security/.
7. Common Vulnerability Assessment System (CVSS) assessment
Skype has rated the issue covered by this Security Bulletin under the CVSS scheme as follows:
Base metrics:
Access Vector (AV) ........... Network
Access Complexity (AC) ....... Medium
Authentication (Au) .....,.... Not Required
Confidentiality Impact (C) ... Partial
Integrity Impact (I) ......... Partial
Availability Impact (A) ...... None
Computed CVSS base score: 9.5
Temporal metrics as of 2007-12-12
Exploitability (E) ........... Functional
Remediation Level (RL) ....... Official Fix
Report Confidence (RC) ....... Confirmed
Computed CVSS temporal score: 8.3
Skype participates in the CVSS by rating each identifiable security vulnerability against the CVSS base metrics. In addition, Skype may rate each vulnerability against temporal metrics from time to time. As suggested by the name, temporal metrics for a particular vulnerability may change from time to time.
More information about the CVSS may be obtained from the CVSS host website at http://www.first.org/cvss/.
8. Credits and additional information
Skype would like to thank and credit Jürgen Schmidt from heise Security for having referred this problem to Skype.
9. Bulletin release history
2007-12-12 Initial bulletin release
10. Notices
Copyright 2006 Skype Technologies, S.A. All rights reserved.
This Skype Security Bulletin may be reproduced and distributed, provided that the Bulletin is not modified in any way and is attributed to Skype Technologies, S.A. and provided that repro- duction and distribution is performed for non-commercial purposes.
This Skype Security Bulltin is provided to you on an "AS IS" basis
and may contain information provided by third parties. Skype makes
no guarantees or warranties as to the information contained herein.
ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT
LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.
To report a security issue to Skype, please send an e-mail that describes the problem or vulnerability to security@skype.com. Please consider securing any reports that disclose security vulnerabilities by encrypting them using the current PGP key of the Skype Computer Emergency Response Team (SKY-CERT), PGP key ID 0xAD2DF320.