Skype is a free online service that allows users to communicate with peers by voice, video, and instant messaging over the Internet. The service was acquired by Microsoft Corporation in May 2011 for US$8.5 Billion due to its worldwide popularity.
Security researcher Benjamin Kunz-Mejri from Germany-based security firm Vulnerability Lab discovered the previously unknown stack buffer overflow vulnerability, which is documented in CVE-2017-9948, in Skype Web's messaging and call service during a team conference call.
The vulnerability is considered a high-security risk with a 7.2 CVSS score and affects Skype versions 7.2, 7.35, and 7.36 on Windows XP, Windows 7 and Windows 8, Mejri said in a public security disclosure published on Monday.
"The issue can be exploited remotely via session or by local interaction. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. In Skype v7.37 the vulnerability is patched," the security firm wrote.
No User Interaction Needed
What's worst? The stack buffer overflow vulnerability doesn't require any user interaction, and only require a low privilege Skype user account.
So, an attacker can remotely crash the application "with an unexpected exception error, to overwrite the active process registers," or even execute malicious code on a target system running the vulnerable Skype version.
The issue resides in the way Skype uses the 'MSFTEDIT.DLL' file in case of a copy request on local systems.
Here's How Attackers can Exploit this Flaw
According to the vulnerability report, attackers can craft a malicious image file and then copy and paste it from a clipboard of a computer system into a conversation window in the Skype application.
Once this image is hosted on a clipboard on both the remote and the local systems, Skype experiences a stack buffer overflow, causing errors and crashing the application, which left the door open for more exploits.
"The limitation of the transmitted size and count for images via print of the remote session clipboard has no secure limitations or restrictions. Attackers [can] crash the software with one request to overwrite the EIP register of the active software process," researchers from Vulnerability Lab says.
"Thus allows local or remote attackers to execute own codes on the affected and connected computer systems via the Skype software," they added.
Proof-of-Concept Code Released
The security firm has also provided proof-of-concept (PoC) exploit code that you can use to test the flaw.
If you are Skype user, make sure that you run the latest version of the application on your system in order to protect themselves from cyber attacks based on this vulnerability.