SSA-2005-01: SKYPE API ACCESS GRANT REVOCATION FAILURE

Skype Security Advisory, April 20 2005

Overview

Certain versions of Skype for Windows can be made to fail to detect the modification of applications that the user previously authorized to have access to the Skype API. This could allow an attacker to replace an application that has been legitimately granted authorization to use the Skype API with a different one without obtaining the user's explicit consent.

Systems Affected

Microsoft Windows systems running Skype for Windows versions 1.2.0.0 to 1.2.0.46

I. Description

A condition check vulnerability exists in the way Skype checks authorizations for Skype API access. Normally, a user must explicitly authorize an application external to Skype to interact with the Skype client via the Skype API. Furthermore, this access should be automatically revoked if the authorization granted access is replaced or modified in any way.

Under specific circumstances, a check of the identity of the authorized application can be bypassed, thereby allowing a previously-authorized application to be subsequently modified or replaced and yet retain access to the Skype API without the user's explicit consent.

This vulnerability could be exploited by an attacker who can replace or modify specific software on the target machine. In such a case, the attacker could initiate arbitrary Skype API functions as the logged-in Skype user.

II. Impact

Using a specially crafted replacement application that contains calls to Skype API functions, an attacker who can replace or modify an application that has been legitimately authorized to access the Skype API could initiate arbitrary Skype API calls as the logged-in Skype user.

III. Solution

Upgrade to Skype for Windows version 1.2.0.47 or higher.

http://www.skype.com/download/

IV. Credit

Skype thanks Alex Rosenbaum for discovering and referring this issue to us for resolution.

V. External references

CVE has not assigned a name to this vulnerability.

Skype is not responsible for the accuracy of information presented on external sites. External references are provided only for the convenience of Skype customers.

Contact

The security of users is Skype's highest priority. You can contact Skype Product Security Incident Response Team (PSIRT) by e-mailing securitysignskype.net. Past advisories and the Skype PSIRT PGP key are available at http://www.skype.com/security/.