14 DAY TRIAL // A new security vulnerability has been discovered in Microsoft’s software, this time in the Windows desktop version of instant messaging app Skype.
Vulnerability Lab security researcher Benjamin Kunz Mejri explains that the stack buffer overflow bug, which is documented in CVE-2017-9948, exists in Skype versions 7.2, 7.35, and 7.36.
The worst thing is that it does not require user interaction, and an attacker can crash the application or even execute malicious code on a target system running the vulnerable Skype version.
According to the vulnerability report, it’s all because of a security bug in the MSFTEDIT.DLL library, which can be exploited by an attacker by copying a malicious image file to clipboard and then pasting it in a conversation window in Skype. Once the photo is stored on both the remote and the local systems, Skype experiences a stack buffer overflow, crashing and then leaving the door open for more exploits.
Patch rolled out on June 8
“The successful attack scenario is not limited to manual exploitation only. Attackers can locally prepare the cache and clipboard of a computer system to exploit the connected remote party computer system using skype,” the security researcher explains in the vulnerability report.
“Exploitation of the buffer overflow software vulnerability requires no user interaction and only a low privilege skype user account. Successful exploitation of the buffer overflow vulnerability results in system and process compromise by an overwrite of the registers.”
Microsoft has already patched the bug in Skype version 7.37.178 and users are recommended to install this version as soon as possible to make sure that they’re not targeted by attacks based on this vulnerability. The patch was rolled out on June 8.
At this point, there are no reports of successful attacks involving this vulnerability given that the flaw was privately reported, but following the public disclosure on June 26, it’s critical for Skype users to update the software as soon as possible. Only the Windows version is affected.