Feeds

Skype explains why security evaluation omitted bug reports

Security research and marketing don't mix

Choosing a cloud hosting partner with confidence

Analysis The recent emergence of two sets of serious security vulnerabilities in Skype, the popular VoIP communications software app, couldn't have come at a worse time for the firm. Disclosure of the security flaws came days after the publication of a security evaluation of the Skype that wrote about its security model in glowing terms.

Dr Thomas A Berson, an independent cryptographer and computer security expert and author of the report (PDF), admitted in the document that his four month evaluation (which largely focused on cryptographic issues) was incomplete. This statement turned out to be too true after it emerged Security researchers identified two groups of potentially serious security vulnerabilities involving Skype.

In the first case, a security bug in the Skype for Windows means the software can be crashed and forced to execute arbitrary code through a buffer overflow when presented with malformed URLs in the Skype-specific URI format callto:// and skype://. Skype can also be made to execute arbitrary code via the importation of a maliciously formated VCARD (an electronic business card format).

A second security vulnerability covers a heap-based buffer overflow security flaw that is not restricted to Windows PCs and hits Skype across all supported platforms. Skype has published security updates designed to guard against both flaws.

A series of unfortunate coincidences

Kurt Sauer, director of security operations at Skype, admitted that the bugs - particularly the URL flaw - were critical. "It wouldn't be rocket science to build proof-on-concept code," he said. Although Berson found the Windows flaw, which stems from a bug in a Delphi package used to build the Skype user interface, he didn't spot the cross-platform flaw raising doubts about the how much weight can be attached to the report. The omission of any mention of the Windows flaw in Berson's security evaluation calls into quesiton its completeness and the timing of its publication. Sauer said it was "not appropriate to stop anything" because a coincidence between the timing of Berson's report and the emergence of security flaws it knew about, but wasn't ready to publically disclose, at the time of the publication of Berson's report. "We're not going to try to hide a serious problem," he said.

Skype acted within days of notification of security problems to produce security updates but Berson's report would surely have benefited from mention of how the firm handled its first set of security bugs. It ought to have been delayed to allow this information to be appended. There seems to be no compelling why Skype needed to publish the evaluation last month other than dove tailing with an energetic PR campaign it mounted based on the report's publication. The practice of firms trying to gain publicity capital from security studies is akin to scientists trying to get the press interested in discoveries before submitting them to peer review. Marketing and security research are uneasy bed fellows at the best of times and this wasn't the best of times for Skype.

Second opinion

Sauer said he called in Berson because he wanted an independent researcher in developing a security framework that would guide the work of Skype's developers. "We didn't want to have a long engagement with a large lab which would cost millions. All we wanted was unvarnished advice from an outsider," Sauer explained. "Doing a Common Criteria evaluation would have involved a very large commitment of personnel and long lead times. There is no perfect scheme."

The tone of Berson's report - which reads like that of a technically knowledgeable enthusiast rather than an impartial expert - and its apparent focus on cryptographic issues has been seized upon by critics but Sauer said the evaluation had been a success. "The report has helped us make changes to our already good design practice. Code review may not but Berson's forte but this report will help us improve. Our current processes failed to pick up last month's security vulnerabilities but these will be improved," he added. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.