Infosec researchers have discovered a nasty and exploitable security vulnerability in older versions of Skype on Windows.
The stack buffer overflow flaw allows miscreants to inject malicious code into Windows boxes running older versions of Skype, bug hunters at Vulnerability Laboratory warn:
The issue can be exploited remotely via session or by local interaction. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. In Skype v7.37 the vulnerability is patched.
The CVE-2017-9948 bug involves mishandling of remote RDP clipboard content within the message box.
Microsoft said the bug isn't a problem for those running the latest version of its software.
"Users on the latest Skype client are automatically protected, and we recommend upgrading to this version for the best protection," a Microsoft spokesperson told El Reg.
Vulnerability Laboratory's Benjamin Kunz Mejri responded that although Microsoft had fixed this issue with version 7.37, widely used versions 7.2, 7.35 and 7.36 are still vulnerable to what he described as a "critical" security issue.
More details of the flaw can be found in an article by Vulnerability Laboratory here. ®