Zero-day Skype flaw causes crashes, remote code execution

Share this…

The critical flaw doesn’t require any user interaction, either.

A critical flaw in Microsoft’s Skype web messaging and call service allows attackers to crash systems and execute code.

This week, Vulnerability Lab security researcher Benjamin Kunz Mejri revealed the previously unknown vulnerability in a public security disclosure, saying the stack buffer overflow flaw, CVE-2017-9948, impacts Skype versions 7.2, 7.35, and 7.36.

Granted a CVSS score of 7.2, the stack buffer overflow flaw is considered dangerous as it permits attackers to remotely crash the application with an unexpected exception error, to overwrite the active process registers, and to execute malicious code.

The problem occurs in Skype’s use of the MSFTEDIT.DLL file in case of a copy request on local systems.

The security team tested the file by copying and pasting a crafted image file from a clipboard into the Skype message box, and when this image was hosted on a clipboard both on a remote and local system, when transmitted, Skype was prompted into a stack buffer overflow, causing errors and a crash which can then be exploited.

The vulnerability can be utilized by both local and remote attackers without any interaction on the victim’s account, and only a Skype user account with low privileges is a necessary tool for attackers.

“The limitation of the transmitted size and count for images via print of the remote session clipboard has no secure limitations or restrictions,” Vulnerability Lab says. “Attackers are able to crash the software with one request to overwrite the EIP register of the active software process.”

“Thus allows local or remote attackers to execute own codes on the affected and connected computer systems via the Skype software,” the team added.

Vulnerability Lab also provided proof-of-concept (PoC) code within the security disclosure.

Vulnerability Lab first notified Microsoft of the bug on 16 May. After Microsoft’s team acknowledged the problem and developed a fix, a patch was deployed on 8 June, leading to public disclosure on 26 June.

The bug has been patched in Skype version 7.37.178, and users should make sure their software is up-to-date to protect themselves from this threat.