-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----- Start of announcement -----

April 20, 2005
SKYPE SECURITY ADVISORY
SSA-2005-01: SKYPE API ACCESS GRANT REVOCATION FAILURE

Overview

    Certain versions of Skype for Windows can be made to fail
    to detect the modification of applications that the user
    previously authorized to have access to the Skype API.  This
    could allow an attacker to replace an application that has
    been legitimately granted authorization to use the Skype API
    with a different one without obtaining the user's explicit
    consent.

    
Systems Affected

    Microsoft Windows systems running
      Skype for Windows versions 1.2.0.0 to 1.2.0.46


I. Description

    A condition check vulnerability exists in the way Skype
    checks authorizations for Skype API access.  Normally, a
    user must explicitly authorize an application external to
    Skype to interact with the Skype client via the Skype API.
    Furthermore, this access should be automatically revoked if
    the authorization granted access is replaced or modified in
    any way.

    Under specific circumstances, a check of the identity of the
    authorized application can be bypassed, thereby allowing a
    previously-authorized application to be subsequently modified
    or replaced and yet retain access to the Skype API without
    the user's explicit consent.

    This vulnerability could be exploited by an attacker who can
    replace or modify specific software on the target machine.  In
    such a case, the attacker could initiate arbitrary Skype API
    functions as the logged-in Skype user.


II. Impact

    Using a specially crafted replacement application that contains
    calls to Skype API functions, an attacker who can replace or
    modify an application that has been legitimately authorized
    to access the Skype API could initiate arbitrary Skype API
    calls as the logged-in Skype user.


III. Solution

    Upgrade to Skype for Windows version 1.2.0.47 or higher.

    http://www.skype.com/download/


IV. Credit

    Skype thanks Alex Rosenbaum for discovering and referring this
    issue to us for resolution.


V. External references

    CVE has not assigned a name to this vulnerability.

    Skype is not responsible for the accuracy of information presented
    on external sites.  External references are provided only for the
    convenience of Skype customers.


Contact

    The security of users is Skype's highest priority. You can
    contact Skype Product Security Incident Response Team (PSIRT)
    by e-mailing security@skype.net. Past advisories and the Skype
    PSIRT PGP key are available at http://www.skype.com/security/.


Revision history

    20 April 2005 - Initial release


- ----- End of announcement -----

-----BEGIN PGP SIGNATURE-----
Version: PGP 9.0.0 (Build 1917) Beta

iQA/AwUBQmZcrOQJFIMBnbtDEQKxAgCg8mjUQpR6lE57hF774VySkpjCoLsAn1tz
2aoOn5OISRjuPfcDmjf57HYC
=yL/X
-----END PGP SIGNATURE-----