News Document Title: ==================== Skype Corruption & Peristent Weakness Vulnerability released Release Date: ============= 2012-03-29 Laboratory Article: =================== Today the vulnerability-lab team (Benjamin Kunz Mejri and Alexander Fuchs) and a external researcher (Ucha Gobejishvili) discovered a new skype remote vulnerability. The bug is located when processing special crafted symbole strings on conversations and input masks of the skype software context. The bug is located in the software when processing special crafted symbole messages via communication box. The vulnerability allows an attacker to freeze, block, crash or destroy the communication messagebox of the connected conference persons/teams. The bug also has an persistent weakness vector which allows an remote attacker to implement the symbole string to the contact user requests messagebox. The result is also a stable persistent error message and a client denial of service. Attackers can also implement the test poc to the group labelname which results in a stable group error with different exceptions. The facebook integration allows to sync the account with skype and can also redisplay the issue with the error via facebook module and wall- posting. The callto function allows an attacker to implement the issue persistent on a victim user profile by using the symbole string as nickname. Vulnerable Module(s): [+] MessageBox and Request Contact [+] Contact Request Messagebox - Add Skype User [+] Group Topic and Group Information Name [+] Facebook integration - Connect Account Wall Postings Affected Version(s): > Windows v5.8.0.156, MacOS 5.5.0.2340 and Linux 2.2 Beta The disclosure process has been coordinated by Micorsoft Security Center (MSRC) to Skype Security. The attack vector has been removed in the old version (5.8.0.156) via hotfix and the issue is addressed by skype.(exp. v5.8.0.158). URL: http://news.hitb.org/content/skype-corruption-peristent-weakness-vulnerability-released