The vulnerability stems from how Skype handles URIs.According to an advisory from VeriSign’s iDefense security research team:
The “file:” URI handler in Skype performs checks upon the URL to verify
that the link does not contain certain file extensions related to
executable file formats…
Due to improper logic when performing these checks, it is possible to
bypass the security warning and execute the program.
Skype in its own advisory on the issue elaborates on how the vulnerability could be triggered by an attacker.
An attacker would need to construct a
malicious file: URI and send it to the intended victim. Upon clicking
the link execution of arbitrary code on the victim’s machine will be
All Skype for Windows releases releases prior to and including 3.8.*.115 are at risk. The vulnerability has been fixed in the newly released version 220.127.116.11.
If you’re a Skype user don’t rely on getting an update notification before you update. In my case. I was running 18.104.22.168, I hit the ‘check for updates’ button and got a window stating that I had the most recent version of Skype (which isn’t actually the case). In my limited experience with this issue, you actually need to physcially visit the Skype download page and download the latest version to make certain you’re not at risk from this URI vulnerability.