Feeds

Skype explains why security evaluation omitted bug reports

Security research and marketing don't mix

Beginner's guide to SSL certificates

Analysis The recent emergence of two sets of serious security vulnerabilities in Skype, the popular VoIP communications software app, couldn't have come at a worse time for the firm. Disclosure of the security flaws came days after the publication of a security evaluation of the Skype that wrote about its security model in glowing terms.

Dr Thomas A Berson, an independent cryptographer and computer security expert and author of the report (PDF), admitted in the document that his four month evaluation (which largely focused on cryptographic issues) was incomplete. This statement turned out to be too true after it emerged Security researchers identified two groups of potentially serious security vulnerabilities involving Skype.

In the first case, a security bug in the Skype for Windows means the software can be crashed and forced to execute arbitrary code through a buffer overflow when presented with malformed URLs in the Skype-specific URI format callto:// and skype://. Skype can also be made to execute arbitrary code via the importation of a maliciously formated VCARD (an electronic business card format).

A second security vulnerability covers a heap-based buffer overflow security flaw that is not restricted to Windows PCs and hits Skype across all supported platforms. Skype has published security updates designed to guard against both flaws.

A series of unfortunate coincidences

Kurt Sauer, director of security operations at Skype, admitted that the bugs - particularly the URL flaw - were critical. "It wouldn't be rocket science to build proof-on-concept code," he said. Although Berson found the Windows flaw, which stems from a bug in a Delphi package used to build the Skype user interface, he didn't spot the cross-platform flaw raising doubts about the how much weight can be attached to the report. The omission of any mention of the Windows flaw in Berson's security evaluation calls into quesiton its completeness and the timing of its publication. Sauer said it was "not appropriate to stop anything" because a coincidence between the timing of Berson's report and the emergence of security flaws it knew about, but wasn't ready to publically disclose, at the time of the publication of Berson's report. "We're not going to try to hide a serious problem," he said.

Skype acted within days of notification of security problems to produce security updates but Berson's report would surely have benefited from mention of how the firm handled its first set of security bugs. It ought to have been delayed to allow this information to be appended. There seems to be no compelling why Skype needed to publish the evaluation last month other than dove tailing with an energetic PR campaign it mounted based on the report's publication. The practice of firms trying to gain publicity capital from security studies is akin to scientists trying to get the press interested in discoveries before submitting them to peer review. Marketing and security research are uneasy bed fellows at the best of times and this wasn't the best of times for Skype.

Second opinion

Sauer said he called in Berson because he wanted an independent researcher in developing a security framework that would guide the work of Skype's developers. "We didn't want to have a long engagement with a large lab which would cost millions. All we wanted was unvarnished advice from an outsider," Sauer explained. "Doing a Common Criteria evaluation would have involved a very large commitment of personnel and long lead times. There is no perfect scheme."

The tone of Berson's report - which reads like that of a technically knowledgeable enthusiast rather than an impartial expert - and its apparent focus on cryptographic issues has been seized upon by critics but Sauer said the evaluation had been a success. "The report has helped us make changes to our already good design practice. Code review may not but Berson's forte but this report will help us improve. Our current processes failed to pick up last month's security vulnerabilities but these will be improved," he added. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.