Skype users may be a risk from a moderately critical code execution vulnerability that could potentially allow an attacker to execute arbitrary code.
The vulnerability stems from how Skype handles URIs.According to an advisory from VeriSign’s iDefense security research team:
The “file:” URI handler in Skype performs checks upon the URL to verify
that the link does not contain certain file extensions related to
executable file formats…
Due to improper logic when performing these checks, it is possible to
bypass the security warning and execute the program.
Skype in its own advisory on the issue elaborates on how the vulnerability could be triggered by an attacker.
An attacker would need to construct a
malicious file: URI and send it to the intended victim. Upon clicking
the link execution of arbitrary code on the victim’s machine will be
possible.
All Skype for Windows releases releases prior to and including 3.8.*.115 are at risk. The vulnerability has been fixed in the newly released version 3.8.0.139.
If you’re a Skype user don’t rely on getting an update notification before you update. In my case. I was running 3.8.0.115, I hit the ‘check for updates’ button and got a window stating that I had the most recent version of Skype (which isn’t actually the case). In my limited experience with this issue, you actually need to physcially visit the Skype download page and download the latest version to make certain you’re not at risk from this URI vulnerability.