VoIP Darling Skype Divulges Flaws In All Clients
2005-10-25 09:49:00
Skype acknowledged Tuesday that all its VoIP (Voice over Internet Protocol) clients suffer from bugs that leave machines susceptible to crashes and/or open them to attacks that could take control of the computers. But even as it patched the software, one analyst questioned how the popular service carried out the fix.
The flaws, which were reported by Danish vulnerability tracker Secunia and judged a "Highly critical" problem, involve the Windows, Linux, Mac OS X, and Pocket PC versions of the Skype client.
But even as Skype released patches for all but the bug in Pocket PC, Lawrence Orans, a research director at Gartner and an expert on VoIP security, questioned the company's ability to deliver a secure network.
"Earlier this year, when Microsoft's instant messenger client was vulnerable, Microsoft shut down [MSN] and then when users tried to connect, required them to update to a patched client. Microsoft essentially did our vulnerability management for us," said Orans.
Not so with Skype. When TechWeb launched a vulnerable version of the Windows client Tuesday, Skype did not require an update to connect to its network. Nor did it offer the fixed version when the client's "Check for Update" feature was selected, but instead presented another vulnerable edition.
One of the Skype bugs -- found by a pair of researchers from U.K.-based security firm Pentest, Limited -- affects Skype for Windows 1.1.0.0 through - 1.4.0.83, and can be used by attackers to first generate a buffer overflow on the PC, then use that to drop additional code on the computer. All the attacker needs to do is convince a user to click on a malicious Skype-style URL.
"In addition, Skype can be made to execute arbitrary code during importation of a VCARD that is in a specific non-standard format," wrote the Pentest researchers, Mark Rowe and Joe Moore, in their advisory.
Skype fixed the flaw and released an updated Windows client, version 1.4.0.84, which can be downloaded from the Luxembourg-based company's Web site.
The second security bulletin released Tuesday affects all current clients -- Windows, Mac, Linux, and Pocket PC -- but according to Skype, doesn't pose as much of a danger.
An attacker would need to send a stream of specially-crafted network traffic to a Skype client to cause a crash.
Skype fixed this problem for the Windows, Mac OS X, and Linux clients, but not for Pocket PC. "No patch is yet available," said Skype in the bulletin about Pocket PC. Windows, Linux, and Mac users should download the new client immediately.
On the same day Skype patched the vulnerabilities, the Computing Technology Industry Association (CompTIA) released a survey of small- and mid-sized businesses that put VoIP at the bottom of the trust ladder.
According to the CompTIA's poll, only 48 percent of the businesses surveyed currently trust IP telephony's security. By comparison, 76 percent said they trusted the security of traditional telephone networks and 65 percent said they trusted cabled computer networks.
IP telephony even lagged behind wireless, traditionally a part of the communications infrastructure that raises the most security suspicions: 55 percent of the respondents said they trusted wireless, beating VoIP by 7 points.
Those number don't surprise Gartner's Orans. "Concern over security has grown since the beginning of the year," he said, fueled in large part by the relatively new protocols that VoIP relies on, and their inherent insecurity.
"They're risky because they've not [yet] faced the same level of scrutiny as other protocols," he said.
"Voice is the most mission critical application in business," he added. "Any time you make changes to voice, jobs and careers are on the line."
In fact, Gartner has recommended that business steer clear of Internet telephony solutions like Skype, citing security as the basis of its concern. "We advise businesses not to use Skype, because it uses port 443 or port 80, which should be used for SSL and HTTP [respectively]. Companies that allow Skype have more lax firewall policies than are desirable."
eBay, which two weeks ago closed on its acquisition of Skype, did not respond to a call for comment on the VoIP vulnerabilities.
Coincidentally, Tuesday also marked the public debut of Skype Groups, a business-centric service aimed at smaller firms which want to manage multiple Skype users under one master account.
|
|
RFID Firm Turns To Google For Pro-RFID Campaign
Companies trying to influence public opinion once shelled out big bucks for full-page advertisements in major newspapers, but today they may be as likely to spend those dollars on sponsored links on Google.
AskMeNow Adds The Human Touch To Mobile Search
The mobile phone remains a cumbersome device for getting information from the Internet, so Web site AskMeNow is offering search with a human touch.
Microsoft Rivals Say 'Live' Is 'Dead'
Microsoft Corp.'s rivals in delivering software as a Web service said Tuesday that the software giant's vision for what it calls "live software" is dead on arrival.
Holiday Online Sales To Come At A Cost To Retailers
While online retailers are not expected to receive coal from Santa Claus this holiday season, they are expected to see profit margins shrink, a research firm said Tuesday.
Microsoft's Free Web-based Virus Scanner Sends Data Back To Microsoft
As part of the Windows Live services that Microsoft touted Tuesday, the Redmond, Wash.-based developer rolled out a beta version of a free Web service that scans for and removes viruses, removes unnecessary files from the hard drive, and schedules a disk defragmentation. Some users may be uneasy about using the service, however, since by default the virus scanner transmits information about the PC and its applications to Microsoft.
Nokia Launches Mobile-TV Phone
SAN JOSE, Calif. — Nokia Corp.'s first phone capable of receiving mobile broadcast TV, the N92, employs a novel industrial design using a hinged, 2.8-inch display that lets the device sit on a table like a portable DVD player or twist into an LCD viewfinder like a handheld video camera.
AtomShockwave Acquires AddictingGames
Online entertainment company AtomShockwave Corp. said Wednesday that it has acquired games site AddictingGames, boosting AtomShockwave's monthly online audience to more than 30 million people.
Solar Power Charges iPod
Holland-based Soldius b.v. said on Wednesday it's bringing the solar-powered Soldius1 Universal Solar Charger for iPods, PDAs and cellular phones to the U.S. market through its United States distributor mysoldius.
Nokia Unveils Open Source Mobile Browser
Nokia Corp. on Wednesday unveiled an open-source, mobile-phone Web browser that's based on technology from Apple Computer Inc.
A Hot Spot For VC Cash
Your cell phone may not always be well connected, but wireless startups sure are when it comes to knowing whom to ask for money to fund their growth plans.
|
