Skype at risk from security vulnerability
The vulnerability stems from how Skype handles URIs.According to an advisory from VeriSign's iDefense security research team:
The "file:" URI handler in Skype performs checks upon the URL to verify
that the link does not contain certain file extensions related to
executable file formats...
Due to improper logic when performing these checks, it is possible to
bypass the security warning and execute the program.
Skype in its own advisory on the issue elaborates on how the vulnerability could be triggered by an attacker.
An attacker would need to construct a
malicious file: URI and send it to the intended victim. Upon clicking
the link execution of arbitrary code on the victim's machine will be
All Skype for Windows releases releases prior to and including 3.8.*.115 are at risk. The vulnerability has been fixed in the newly released version 220.127.116.11.