Skype today announced that there is a serious security vulnerability in Skype for Windows versions older than 3.6.x.216. As noted:
An exploitable memory corruption may occur during the parsing of URIs which can result in arbitrary code execution under the user rights of the current Windows account.
It turns out that this was fixed in the release back on November 15th, but Skype had an “unintentional communication oversight”:
At Skype, we strive to inform the public of vulnerabilities and malware that may affect Skype software. While this particular vulnerability was fixed, there was an unintentional communication oversight and we failed to bring the case to the publicâ€™s attention. All we can do now is to apologize.
Thanks for the apology, Skype… and now would be a really good time for any Windows Skype users out there to look at upgrading!
P.S. Tip of the hat to Ryan Naraine’s Zero Day blog where we noticed the item this morning.
skype, voip, voip security, security