Overview
A buffer overflow in the way Skype handles imported VCARDs may allow a remote attacker to execute code on a vulnerable system.
Description
Skype software provides telephone service over IP networks. Skype fails to properly validate imported VCARDs, allowing a buffer overflow to occur. The buffer overflow may stem from an input validation error in the Delphi routine SysUtils.WideFmtStr(...). For more information, please see Skype Security Bulletin SKYPE-SB/2005-002 and Delphi Bug Report 4744. |
Impact
A remote attacker may be able to execute arbitrary code if they can persuade a user to import a specially crafted VCARD with a Skype-specific URI with a vulnerable Skype installation. |
Solution
Upgrade Skype Please see Skype Security Bulletin SKYPE-SB/2005-002 for a list of fixed Skype versions. |
Do not import VCARDs from untrusted sources
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported by SKY-CERT. SKY-CERT credits Mark Rowe of Pentest Limited with providing information regarding this issue.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2005-3265 |
| Severity Metric: | 10.13 |
| Date Public: | 2005-10-25 |
| Date First Published: | 2005-10-26 |
| Date Last Updated: | 2005-12-19 14:34 UTC |
| Document Revision: | 11 |