Benjamin Kunz Mejri, a security researcher at Vulnerability Labs has revealed a fatal flaw in Skype Web's messaging and call service that allows attackers to remotely crash the software "with an unexpected exception error, to overwrite the active process registers, and to execute own malicious codes". In a public security disclosure, Mejri said that the stack buffer overflow vulnerability, CVE-2017-9948 affects Skype versions 7.2, 7.35, and 7.36.
The bug, which has now been fixed by Microsoft, has been awarded a cvss (common vulnerability scoring system) count of 7.2, which means that it is estimated as a high-security risk. The attackers don't even need user interaction, and only require a low privilege Skype user account. The vulnerability stems from the 'clipboard format' function of the software and "affects the `MSFTEDIT.DLL` file of the Windows 8 (x86) operating system".
The security team explained:
"The limitation of the transmitted size and count for images via print of the remote session clipboard has no secure limitations or restrictions. Attackers are able to crash the software with one request to overwrite the EIP register of the active software process.
This allows local or remote attackers to execute own codes on the affected and connected computer systems via the Skype software,"
Microsoft was first informed of the bug by Vulnerability Labs on May 16, which was then patched by the Redmond company on June 8. The disclosure came 18 days after the patch was deployed in Skype version 7.37.178. If you're a user of Skype, make sure that your application is running up-to-date. Skype, currently undergoing a huge transition, was attacked last week that rendered it offline for some users.