Skype- Zero Day Vulnerability Discovered
A critical vulnerability has been discovered on Skype, a Microsoft-owned free web messaging and voice calling service, that can allow an attacker to execute malicious code and crash the system remotely. The vulnerability was discovered during a team conference call and it has been found in Skype v7.2, v7.35 and v7.36.
“The issue can be exploited remotely via session or by local interaction. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. In Skype v7.37 the vulnerability is patched,” stated by the security firm.
The stack buffer overflow vulnerability does not require any user interaction thus allowing the attacker to remotely crash the application and overwrite the active process registers and the vulnerability is in the ‘clipboard format’ of the application. This affects the MSFTEDIT.DLL, a dynamic link library of the Windows8 (x86) operating system.
How the attack works
The attacker makes a malicious image file and copies and pastes it from the clipboard of a PC into the conversation window of the application. And once its hosted by the clipboard, it causes the application to crash thus opening the window for more exploitable vulnerabilities.