By Villu Arak on December 10, 2007. In early November, Zero Day Initiative informed Skype of a vulnerability that allows a remote attacker to execute arbitrary code, provided that the user visits a malicious website.
The flaw exists within the skype4com URI handler component of Skype. An exploitable memory corruption may occur during the parsing of URIs which can result in arbitrary code execution under the user rights of the current Windows account.
The issue was fixed in the public release of Skype 3.6 for Windows. All versions of Skype for Windows updated or installed as of November 15 include the patch.
At Skype, we strive to inform the public of vulnerabilities and malware that may affect Skype software. While this particular vulnerability was fixed, there was an unintentional communication oversight and we failed to bring the case to the public’s attention. All we can do now is to apologize.
Meanwhile, we’d like to advise users to always upgrade to the latest version of Skype. This ensures access to the latest features, improvements and fixes, and helps get the most out of your Skype experience.