SKYPE-SB/2006-001: Improper handling of URI arguments

SKYPE-SB/2006-001: Improper handling of URI arguments
Bulletin title: Improper handling of URI arguments
Bulletin ID: SKYPE-SB/2006-001
Bulletin status: FINAL
Date of announcement: 2006-05-19 08:00:00 +0000
Products affected: Skype for Windows
Vulnerability type: Argument handling
CVE references: CVE-2006-2312
Risk assessment: MEDIUM
CVSS base score: 3.5 (AV:R/AC:L/Au:NR/C:P/I:N/A:N/B:C)
Cross-references: None
Table of contents:

1. Problem description and brief discussion

2. Impact and affected software

3. Solution or work-around

4. Special instructions and notes

5. Software download location

6. Authenticity verification

7. Common Vulnerability Scoring System (CVSS) assessment

8. Credits and additional information

9. Bulletin release history

10. Notices

11. Problem description and brief discussion
    Description

A security bug in the Skype for Windows user client has been
identified and fixed.

In some circumstances, a Skype URL can be crafted that, if followed,
initiates the transfer of a single named file to another Skype user.
Discussion

An attacker who constructs a Skype URL that is malformed in a
specific way can initiate the transfer of a single named file from
one Skype user to another, provided that the sender follows the
malicious link and that the recipient has previously authorized the
sender.

This behavior is due to incorrect parsing of the parameters passed
by the URI handler. The vulnerability depends on several factors,
including host configuration and the authorization relationship
of the sender and the receiver.

The attack requires the targeted user to manually follow a specially
crafted malformed link, such as on a web page. Depending on several
factors, doing so may result in the initiation of a file transfer,
which will be accompanied by the normal Skype file transfer dialogue
box. If a file transfer is started, it will be visible to the user
and may be cancelled by the sender by selecting "Cancel" in the
normal way.

This is tracked by Mitre CVE ID CVE-2006-2312.
2. Impact and affected software
Impact

An attacked Skype user may send a specifically named file to another
user without having explicitly consented to the action.
Affected software

The following Skype clients are vulnerable to this attack:

Skype for Windows:
All releases prior to and including 2.0..104
Release 2.5..0 to and including 2.5.*.78
3. Solution or work-around

An official fix to the issue covered by this Security Bulletin has
been released. To implement this fix, update to one of the
following releases of Skype. (Downloading instructions are shown
in Section 4 of this Bulletin.)

Skype for Windows:
Skype 2.5, release 2.5..79 or later
Skype 2.0, release 2.0..105 or later
4. Special instructions and notes

None.
5. Software download location

The preferred method for installing security updates is to download
the software directly from Skype's website, from the website of
Skype's authorized partners, or from a reliable mirror site. Skype
may also be safely downloaded from other locations, but in this
case it is particularly important that you verify the authenticity
of the download.

We recommend that once you download any Skype software that you
verify its integrity by the methods listed in Section 6 of this
Bulletin.

x86 platform, Microsoft Windows 2000 or Microsoft Windows XP:
http://www.skype.com/products/skype/windows/

x86 platform, Linux:
http://www.skype.com/products/skype/linux/

PPC platform, Mac OS X v10.3 (Panther) or later:
http://www.skype.com/products/skype/macosx/

Pocket PC platform, Microsoft Windows Mobile 2003:
http://www.skype.com/products/skype/pocketpc/
6. Authenticity verification

• Bulletin authenticity verification:

Skype security bulletins are published on Skype's web site and
via mailing lists. The authenticity and integrity of a Skype
security bulletins may be determined by inspecting the crypto-
graphic signature that is attached to each bulletin. All Skype
security bulletins are published with a valid digital signature
produced by PGP.

• Software authenticity verification:

• Software authenticity verification:

Both the Skype installer program and the Skype program that is
installed by the installer are digitally signed.

For Skype software built for Microsoft Windows operating
environments, the digital certificate used by Skype to sign
software packages is signed by "VeriSign Class 3 Code Signing 2004
CA".

For Skype software built for Linux platforms, all packages are
signed by PGP key ID 0xD66B746E, the public component of which may
be downloaded from http://www.skype.com/products/skype/linux/.

• For general information about Skype security, please visit the
  Skype Security Resource Center at http://www.skype.com/security/.

7. Common Vulnerability Assessment System (CVSS) assessment

Skype has rated the issue covered by this Security Bulletin under
the CVSS scheme as follows:

Base metrics:

Access Vector (AV) … Remote
Access Complexity (AC) … Low
Authentication (Au) …,… Not Required
Confidentiality Impact (C) … Partial
Integrity Impact (I) … None
Availability Impact (A) … None
Impact Bias (B) … Confidentiality

Computed CVSS base score: 3.5

Temporal metrics as of 2006-05-19

Exploitability (E) … Functional
Remediation Level (RL) … Official Fix
Report Confidence (RC) … Confirmed

Computed CVSS temporal score: 2.9

Skype participates in the CVSS by rating each identifiable security
vulnerability against the CVSS base metrics. In addition, Skype
may rate each vulnerability against temporal metrics from time to
time. As suggested by the name, temporal metrics for a particular
vulnerability may change from time to time.

More information about the CVSS may be obtained from the CVSS host
website at http://www.first.org/cvss/.
8. Credits and additional information

Skype would like to thank and credit Brett Moore of Security- Assessment.com Ltd of New Zealand for having referred this problem to Skype.
9. Bulletin release history

2006-05-19 Initial bulletin release
10. Notices

Copyright 2006 Skype Technologies, S.A. All rights reserved.

This Skype Security Bulletin may be reproduced and distributed,
provided that the Bulletin is not modified in any way and is
attributed to Skype Technologies, S.A. and provided that repro-
duction and distribution is performed for non-commercial purposes.

This Skype Security Bulltin is provided to you on an "AS IS" basis
and may contain information provided by third parties. Skype makes
no guarantees or warranties as to the information contained herein.
ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT
LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.