A critical flaw in Microsoft’s Skype web messaging and call service allows attackers to crash systems and execute code.
Granted a CVSS score of 7.2, the stack buffer overflow flaw is considered dangerous as it permits attackers to remotely crash the application with an unexpected exception error, to overwrite the active process registers, and to execute malicious code.
The security team tested the file by copying and pasting a crafted image file from a clipboard into the Skype message box, and when this image was hosted on a clipboard both on a remote and local system, when transmitted, Skype was prompted into a stack buffer overflow, causing errors and a crash which can then be exploited.
The vulnerability can be utilized by both local and remote attackers without any interaction on the victim’s account, and only a Skype user account with low privileges is a necessary tool for attackers.
“Thus allows local or remote attackers to execute own codes on the affected and connected computer systems via the Skype software,” the team added.
Vulnerability Lab also provided proof-of-concept (PoC) code within the security disclosure.
Vulnerability Lab first notified Microsoft of the bug on 16 May. After Microsoft’s team acknowledged the problem and developed a fix, a patch was deployed on 8 June, leading to public disclosure on 26 June.