=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN207
_____________________________________________________________________

DATE                      : 05/06/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Skype.

======================================================================

http://www.skype.com/security/skype-sb-2008-003.html
______________________________________________________________________


SKYPE-SB/2008-003: Skype File URI Security Bypass Code Execution
Vulnerability


Bulletin title: 	Skype File URI Security Bypass Code Execution Vulnerability
Bulletin ID: 	SKYPE-SB/2008-003
Bulletin status: 	PRELIMINARY
Date of announcement: 	2008-06-04 14:00:00 +0000
Products affected: 	Skype for Windows
Vulnerability type: 	Original Vulnerability
CVE references: 	
Risk assessment: 	MEDIUM
CVSS base score: 	5.6 (AV:N/AC:M/Au:N/C:N/I:C/A:N/E:PoC/RL:OF/RC:C)
Cross-references: 	
Table of contents:

    1. Problem description and brief discussion
    2. Impact and affected software
    3. Solution or work-around
    4. Special instructions and notes
    5. Software download location
    6. Authenticity verification
    7. Common Vulnerability Scoring System (CVSS) assessment
    8. Credits and additional information
    9. Bulletin release history
   10. Notices


1. Problem description and brief discussion

Description

Remote exploitation of a security policy bypass in Windows Skype
versions could allow an attacker to execute arbitrary code.

URI handler in Skype performs checks upon the URL to verify that the
link does not contain certain file extensions related to executable file
formats. If the link is found to contain a blacklisted executable file
extension a security warning dialog is shown to the user. This check is
flawed in two ways. The check is performed using the case sensitive
comparison.

The second flaw in this check is that the blacklist fails to mention all
potential executable file formats. This allows an attacker to bypass
this security policy and execute arbitrary code if a victim clicks an
attacker supplied URL.


2. Impact and affected software

Impact

Exploitation of this issue allows an attacker to execute arbitrary code
on the targeted victim's machine. An attacker would need to construct a
malicious file: URI and send it to the intended victim. Upon clicking
the link execution of arbitrary code on the victim's machine will be
possible.


Affected software

The following Skype clients are vulnerable to this attack:

Skype for Windows:
All releases prior to and including 3.8.*.115


3. Solution or work-around

Skype has fixed the vulnerability in version 3.8.0.139


4. Special instructions and notes

None.


5. Software download location

The preferred method for installing security updates is to download the
software directly from Skype's website, from the website of Skype's
authorized partners, or from a reliable mirror site. Skype may also be
safely downloaded from other locations, but in this case it is
particularly important that you verify the authenticity of the download.

We recommend that once you download any Skype software that you verify
its integrity by the methods listed in Section 6 of this Bulletin.

x86 platform, Microsoft Windows 2000 or Microsoft Windows XP:
http://www.skype.com/download/skype/windows/

x86 platform, Linux: http://www.skype.com/download/skype/linux/

PPC and x86 platforms, Mac OS X v10.3.9 or later:
http://www.skype.com/download/skype/macosx/

Pocket PC platform, Microsoft Windows Mobile 2003:
http://www.skype.com/download/skype/pocketpc/


6. Authenticity verification

- Bulletin authenticity verification:

Skype security bulletins are published on Skype's web site and via
mailing lists. The authenticity and integrity of a Skype security
bulletins may be determined by inspecting the crypto- graphic signature
that is attached to each bulletin. All Skype security bulletins are
published with a valid digital signature produced by PGP.

- Software authenticity verification:

Both the Skype installer program and the Skype program that is installed
by the installer are digitally signed.

For Skype software built for Microsoft Windows and Mac OSX operating
environments, the digital certificate used by Skype to sign software
packages is signed by "VeriSign Class 3 Code Signing 2004 CA".

For Skype software built for Linux platforms, all packages are signed by
PGP key ID 0xD66B746E, the public component of which may be downloaded
from http://www.skype.com/download/skype/linux/.

- For general information about Skype security, please visit the Skype
Security Resource Center at http://www.skype.com/security/.


7. Common Vulnerability Assessment System (CVSS) assessment

Skype has rated the issue covered by this Security Bulletin under the
CVSS scheme as follows:

Base metrics as of 2008-06-04:

Access Vector (AV) ........... Network
Access Complexity (AC) ....... Medium
Authentication (Au) .....,.... None
Confidentiality Impact (C) ... None
Integrity Impact (I) ......... Complete
Availability Impact (A) ...... None

Computed CVSS base score: 7.1

Temporal metrics as of 2008-06-04

Exploitability (E) ........... proof-of-concept
Remediation Level (RL) ....... official-fix
Report Confidence (RC) ....... confirmed

Computed CVSS temporal score: 5.6

Skype participates in the CVSS by rating each identifiable security
vulnerability against the CVSS base metrics. In addition, Skype may rate
each vulnerability against temporal metrics from time to time. As
suggested by the name, temporal metrics for a particular vulnerability
may change from time to time.

More information about the CVSS may be obtained from the CVSS host
website at http://www.first.org/cvss/.


8. Credits and additional information

Skype would like to thank Ismael Briones (Inkatel.com) working with the
iDefense VCP


9. Bulletin release history

2008-06-04 Initial bulletin release


10. Notices

Copyright 2008 Skype Technologies, S.A. All rights reserved.

This Skype Security Bulletin may be reproduced and distributed, provided
that the Bulletin is not modified in any way and is attributed to Skype
Technologies, S.A. and provided that repro- duction and distribution is
performed for non-commercial purposes.

This Skype Security Bulltin is provided to you on an "AS IS" basis and
may contain information provided by third parties. Skype makes no
guarantees or warranties as to the information contained herein. ANY AND
ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.

To report a security issue to Skype, please send an e-mail that
describes the problem or vulnerability to security@skype.com. Please
consider securing any reports that disclose security vulnerabilities by
encrypting them using the current PGP key of the Skype Computer
Emergency Response Team (SKY-CERT), PGP key ID 0xAD2DF320.



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================