Users running older versions of Skype risk attack from a newly disclosed vulnerability.

A boundary error involving the Skype4COM URI handler creates a buffer overflow risk. This, in turn, provides a means for hackers to attack users running vulnerable versions of Skype who visit maliciously-constructed websites.

The vulnerability is confirmed in Skype 3.5.0.239. Other versions of the popular VoIP package prior to 3.6.0.216 may also be affected.

Details of the flaw were reportedly submitted to Skype in early November. Skype released an update in mid-November that touted higher video quality. It also fixed the security bug, a point Skype itself neglected to mention. Information on the vulnerability only emerged following an advisory from security tools vendor Tipping Point late last week. ®

Related stories

• Disaster recovery bug hangs up Cisco comms kit (7 April 2008)
• SkypeFinds another security snafu (1 February 2008)
• Skype Trojan wiretap plan leaks onto the net (29 January 2008)
• Skype blocks poison movie peril (18 January 2008)
• Skype confirms / denies job cuts (11 December 2007)
• Skype crypto stumps German cops (23 November 2007)
• Analysis VoIP is Dead. It's just another feature, now (29 October 2007)
• 3 UK brings VoIP to cheapskates (26 October 2007)
• Skype mobile phone on its way? (22 October 2007)
• Reader Poll IP telephony: does it float your boat? (19 October 2007)
• Skype rings up a loss for eBay (18 October 2007)
• Skype Trojan steals login credentials (17 October 2007)
• Skype in MySpace hook-up (17 October 2007)