A buffer overflow in the way Skype handles imported VCARDs may allow a remote attacker to execute code on a vulnerable system.
Skype software provides telephone service over IP networks. Skype fails to properly validate imported VCARDs, allowing a buffer overflow to occur. The buffer overflow may stem from an input validation error in the Delphi routine
A remote attacker may be able to execute arbitrary code if they can persuade a user to import a specially crafted VCARD with a Skype-specific URI with a vulnerable Skype installation.
Please see Skype Security Bulletin SKYPE-SB/2005-002 for a list of fixed Skype versions.
Do not import VCARDs from untrusted sources
Exploitation occurs by importing a specially crafted VCARD. By only accessing a VCARDs from trusted or known sources, the chances of exploitation are reduced.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Affected Unknown __ Unaffected
Updated: October 26, 2005
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see <http://www.skype.com/security/skype-sb-2005-02.html>.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A
This vulnerability was reported by SKY-CERT. SKY-CERT credits Mark Rowe of Pentest Limited with providing information regarding this issue.
This document was written by Jeff Gennari.
CVE IDs: | CVE-2005-3265
Severity Metric:** | 10.13
Date Public: | 2005-10-25
Date First Published: | 2005-10-26
Date Last Updated: | 2005-12-19 14:34 UTC
Document Revision: | 11