Overview
Skype for Mac contains a format string vulnerability in the handling of URIs, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Skype software provides telephone service over IP networks. There is a format string vulnerability in the NSRunAlertPanel function in the routines that handle Skype-specific URIs, such as skype://. |
Impact
By sending a specially crafted URI to Skype, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user. Such a URI can be sent to Skype by convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment). The attacker could also cause Skype to crash. |
Solution
Apply an update This vulnerability is addressed in Skype for Mac release 1.5.*.80 or later. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported by Tom Ferris of Security-Protocols.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2006-5084 |
| Severity Metric: | 8.29 |
| Date Public: | 2006-10-03 |
| Date First Published: | 2006-10-06 |
| Date Last Updated: | 2006-10-06 20:25 UTC |
| Document Revision: | 2 |