Vulnerability Lab Security researcher Benjamin Kunz Mejri has revealed a now-fixed zero-day flaw in the Microsoft’s service that allowed an attacker to remotely crash the application.
Benjamin Kunz Mejri, a security researcher at Vulnerability Labs has revealed a fatal flaw in Skype Web’s messaging and call service that allows attackers to remotely crash the software «with an unexpected exception error, to overwrite the active process registers, and to execute own malicious codes». In a public security disclosure, Mejri said that the stack buffer overflow vulnerability, CVE-2017-9948 affects Skype versions 7.2,7.35, and 7.36.
The bug, which has now been fixed by Microsoft, has been awarded a cvss (common vulnerability scoring system) count of 7.2, which means that it is estimated as a high-security risk. The attackers don’t even need user interaction, and only require a low privilege Skype user account. The vulnerability stems from the ‘clipboard format’ function of the software and «affects the `MSFTEDIT. DLL` file of the Windows 8 (x86) operating system».
The security team explained:
Microsoft was first informed of the bug by Vulnerability Labs on May 16, which was then patched by the Redmond company on June 8. The disclosure came 18 days after the patch was deployed in Skype version 7.37.178. If you’re a user of Skype, make sure that your application is running up-to-date. Skype, currently undergoing a huge transition, was attacked last week that rendered it offline for some users.
Source: ZDNet
