Feeds

Skype explains why security evaluation omitted bug reports

Security research and marketing don't mix

Using blade systems to cut costs and sharpen efficiencies

Analysis The recent emergence of two sets of serious security vulnerabilities in Skype, the popular VoIP communications software app, couldn't have come at a worse time for the firm. Disclosure of the security flaws came days after the publication of a security evaluation of the Skype that wrote about its security model in glowing terms.

Dr Thomas A Berson, an independent cryptographer and computer security expert and author of the report (PDF), admitted in the document that his four month evaluation (which largely focused on cryptographic issues) was incomplete. This statement turned out to be too true after it emerged Security researchers identified two groups of potentially serious security vulnerabilities involving Skype.

In the first case, a security bug in the Skype for Windows means the software can be crashed and forced to execute arbitrary code through a buffer overflow when presented with malformed URLs in the Skype-specific URI format callto:// and skype://. Skype can also be made to execute arbitrary code via the importation of a maliciously formated VCARD (an electronic business card format).

A second security vulnerability covers a heap-based buffer overflow security flaw that is not restricted to Windows PCs and hits Skype across all supported platforms. Skype has published security updates designed to guard against both flaws.

A series of unfortunate coincidences

Kurt Sauer, director of security operations at Skype, admitted that the bugs - particularly the URL flaw - were critical. "It wouldn't be rocket science to build proof-on-concept code," he said. Although Berson found the Windows flaw, which stems from a bug in a Delphi package used to build the Skype user interface, he didn't spot the cross-platform flaw raising doubts about the how much weight can be attached to the report. The omission of any mention of the Windows flaw in Berson's security evaluation calls into quesiton its completeness and the timing of its publication. Sauer said it was "not appropriate to stop anything" because a coincidence between the timing of Berson's report and the emergence of security flaws it knew about, but wasn't ready to publically disclose, at the time of the publication of Berson's report. "We're not going to try to hide a serious problem," he said.

Skype acted within days of notification of security problems to produce security updates but Berson's report would surely have benefited from mention of how the firm handled its first set of security bugs. It ought to have been delayed to allow this information to be appended. There seems to be no compelling why Skype needed to publish the evaluation last month other than dove tailing with an energetic PR campaign it mounted based on the report's publication. The practice of firms trying to gain publicity capital from security studies is akin to scientists trying to get the press interested in discoveries before submitting them to peer review. Marketing and security research are uneasy bed fellows at the best of times and this wasn't the best of times for Skype.

Second opinion

Sauer said he called in Berson because he wanted an independent researcher in developing a security framework that would guide the work of Skype's developers. "We didn't want to have a long engagement with a large lab which would cost millions. All we wanted was unvarnished advice from an outsider," Sauer explained. "Doing a Common Criteria evaluation would have involved a very large commitment of personnel and long lead times. There is no perfect scheme."

The tone of Berson's report - which reads like that of a technically knowledgeable enthusiast rather than an impartial expert - and its apparent focus on cryptographic issues has been seized upon by critics but Sauer said the evaluation had been a success. "The report has helped us make changes to our already good design practice. Code review may not but Berson's forte but this report will help us improve. Our current processes failed to pick up last month's security vulnerabilities but these will be improved," he added. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.