0day ...Critical Skype Bug ...#2017 RCEsteemCreated with Sketch.

in #news9 years ago

crash-skype.png

 A critical vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could allow hackers to remotely execute malicious code and crash systems.
 

Skype is a free online service that allows users to communicate with  peers by voice, video, and instant messaging over the Internet. The  service was acquired by Microsoft Corporation in May 2011 for US$8.5  Billion due to its worldwide popularity.
 

Security researcher Benjamin Kunz-Mejri from Germany-based security firm  Vulnerability Lab discovered the previously unknown stack buffer  overflow vulnerability, which is documented in CVE-2017-9948, in Skype Web's messaging and call service during a team conference call.
      
The vulnerability is considered a high-security risk with a 7.2 CVSS  score and affects Skype versions 7.2, 7.35, and 7.36 on Windows XP,  Windows 7 and Windows 8, Mejri said in a public security disclosure published on Monday.
 

"The issue can be exploited remotely via session or by local  interaction. The problem is located in the print clipboard format &  cache transmit via remote session on Windows XP, Windows 7, Windows 8  and Windows 10. In Skype v7.37 the vulnerability is patched," the  security firm wrote.

No User Interaction Needed

What's worst? The stack buffer overflow vulnerability doesn't require  any user interaction, and only require a low privilege Skype user  account.
 

So, an attacker can remotely crash the application "with an unexpected  exception error, to overwrite the active process registers," or even  execute malicious code on a target system running the vulnerable Skype  version.
 

The issue resides in the way Skype uses the 'MSFTEDIT.DLL' file in case of a copy request on local systems.
 

Here's How Attackers can Exploit this Flaw

According to the vulnerability report, attackers can craft a malicious  image file and then copy and paste it from a clipboard of a computer  system into a conversation window in the Skype application.
    
Once this image is hosted on a clipboard on both the remote and the  local systems, Skype experiences a stack buffer overflow, causing errors  and crashing the application, which left the door open for more  exploits.
 

"The limitation of the transmitted size and count for images via print  of the remote session clipboard has no secure limitations or  restrictions. Attackers [can] crash the software with one request to  overwrite the EIP register of the active software process," researchers  from Vulnerability Lab says. 
"Thus allows local or remote attackers to execute own codes on the  affected and connected computer systems via the Skype software," they  added.

Proof-of-Concept Code Released

The security firm has also provided proof-of-concept (PoC) exploit code that you can use to test the flaw.
 


Vulnerability Lab reported the flaw to Microsoft on 16th May, and  Microsoft fixed the issue and rolled out a patch on 8 June in Skype  version 7.37.178.

 

If you are Skype user, make sure that you run the latest version of the  application on your system in order to protect themselves from cyber  attacks based on this vulnerability. 

Sort:  

Congratulations @ihab-mu! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received
Award for the number of upvotes

Click on any badge to view your own Board of Honnor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Coin Marketplace

STEEM 0.04
TRX 0.33
JST 0.101
BTC 63945.53
ETH 1803.59
USDT 1.00
SBD 0.39