A critical vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could allow hackers to remotely execute malicious code and crash systems.
The vulnerability is considered a high-security risk with a 7.2 CVSS score and affects Skype versions 7.2, 7.35, and 7.36 on Windows XP, Windows 7 and Windows 8, Mejri said in a public security disclosure published on Monday.
Security researcher Benjamin Kunz-Mejri from Germany-based security firm Vulnerability Lab discovered the previously unknown stack buffer overflow vulnerability, which is documented in CVE-2017-9948, in Skype Web’s messaging and call service during a team conference call.
“The issue can be exploited remotely via session or by local interaction. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. In Skype v7.37 the vulnerability is patched,” the security firm wrote.
What’s worst? The stack buffer overflow vulnerability doesn’t require any user interaction, and only requires a low privilege Skype user account.
So, an attacker can remotely crash the application “with an unexpected exception error, to overwrite the active process registers,” or even execute malicious code on a target system running the vulnerable Skype version.
The issue resides in the way Skype uses the ‘MSFTEDIT.DLL’ file in case of a copy request on local systems.
According to the vulnerability report, attackers can craft a malicious image file and then copy and paste it from a clipboard of a computer system into a conversation window in the Skype application.
Once this image is hosted on a clipboard on both the remote and the local systems, Skype experiences a stack buffer overflow, causing errors and crashing the application, which left the door open for more exploits.
“The limitation of the transmitted size and count for images via print of the remote session clipboard has no secure limitations or restrictions. Attackers [can] crash the software with one request to overwrite the EIP register of the active software process,” researchers from Vulnerability Lab says.
“Thus allows local or remote attackers to execute own codes on the affected and connected computer systems via the Skype software,” they added.
If you are Skype user, make sure that you run the latest version of the application on your system in order to protect themselves from cyber attacks based on this vulnerability.
- Thu, Jun 29th, 09:38