Feeds

Skype explains why security evaluation omitted bug reports

Security research and marketing don't mix

The essential guide to IT transformation

Analysis The recent emergence of two sets of serious security vulnerabilities in Skype, the popular VoIP communications software app, couldn't have come at a worse time for the firm. Disclosure of the security flaws came days after the publication of a security evaluation of the Skype that wrote about its security model in glowing terms.

Dr Thomas A Berson, an independent cryptographer and computer security expert and author of the report (PDF), admitted in the document that his four month evaluation (which largely focused on cryptographic issues) was incomplete. This statement turned out to be too true after it emerged Security researchers identified two groups of potentially serious security vulnerabilities involving Skype.

In the first case, a security bug in the Skype for Windows means the software can be crashed and forced to execute arbitrary code through a buffer overflow when presented with malformed URLs in the Skype-specific URI format callto:// and skype://. Skype can also be made to execute arbitrary code via the importation of a maliciously formated VCARD (an electronic business card format).

A second security vulnerability covers a heap-based buffer overflow security flaw that is not restricted to Windows PCs and hits Skype across all supported platforms. Skype has published security updates designed to guard against both flaws.

A series of unfortunate coincidences

Kurt Sauer, director of security operations at Skype, admitted that the bugs - particularly the URL flaw - were critical. "It wouldn't be rocket science to build proof-on-concept code," he said. Although Berson found the Windows flaw, which stems from a bug in a Delphi package used to build the Skype user interface, he didn't spot the cross-platform flaw raising doubts about the how much weight can be attached to the report. The omission of any mention of the Windows flaw in Berson's security evaluation calls into quesiton its completeness and the timing of its publication. Sauer said it was "not appropriate to stop anything" because a coincidence between the timing of Berson's report and the emergence of security flaws it knew about, but wasn't ready to publically disclose, at the time of the publication of Berson's report. "We're not going to try to hide a serious problem," he said.

Skype acted within days of notification of security problems to produce security updates but Berson's report would surely have benefited from mention of how the firm handled its first set of security bugs. It ought to have been delayed to allow this information to be appended. There seems to be no compelling why Skype needed to publish the evaluation last month other than dove tailing with an energetic PR campaign it mounted based on the report's publication. The practice of firms trying to gain publicity capital from security studies is akin to scientists trying to get the press interested in discoveries before submitting them to peer review. Marketing and security research are uneasy bed fellows at the best of times and this wasn't the best of times for Skype.

Second opinion

Sauer said he called in Berson because he wanted an independent researcher in developing a security framework that would guide the work of Skype's developers. "We didn't want to have a long engagement with a large lab which would cost millions. All we wanted was unvarnished advice from an outsider," Sauer explained. "Doing a Common Criteria evaluation would have involved a very large commitment of personnel and long lead times. There is no perfect scheme."

The tone of Berson's report - which reads like that of a technically knowledgeable enthusiast rather than an impartial expert - and its apparent focus on cryptographic issues has been seized upon by critics but Sauer said the evaluation had been a success. "The report has helped us make changes to our already good design practice. Code review may not but Berson's forte but this report will help us improve. Our current processes failed to pick up last month's security vulnerabilities but these will be improved," he added. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?