‘Skype Client for Mac Chat Unicode Denial of Service vulnerability’

Summary

A Denial of Service vulnerability was discovered in Skype for Mac.’

Credit:

‘The information has been provided by Marc Ruef.
The original article can be found at: http://seclists.org/bugtraq/2010/Jun/208


Details

Vulnerable Systems:
 * Skype Client running on Apple MacOS X (version 2.8)

Marc Ruef at scip AG found a denial of service vulnerability in the current release for Apple MacOS X (version 2.8). The application provides the possibility of sending messages to other Skype users via the embedded chat feature. If a vulnerable client receives a malicious message, the message and all further messages will be received but not displayed. It was not possible to reproduce this behavior on different version of the Skype client for Windows. On the iPhone (Version 1.3.0.275 on iPhone 3gs) the behavior is different. A received message containing the malicious string is shown but the content not displayed. Instead the message box contains the hint that the message has been deleted. No further impact could be determined.

An attacker has to include Unicode characters in the text message sent to the victim. The characters used for the proof-of-concept are out of Mathematical Alphanumeric Symbols (1D400-1D7FF). After receiving a malicious message the attacked client is not able to use the chat feature anymore.

Furthermore, the handling of some other elements of the application are not possible anymore (e.g. review the chat history).

Workaround:
No workaround or solution known at the moment. It is suggested to allow incoming chat messages from approved friends only.

Disclosure Timeline:
2010/05/09 Identification of the vulnerability
2010/05/10 Notification of Skype via Jira (bug tracking)
2010/06/22 Public disclosure of the advisory’

Categories: UNIX