This flaw is indeed going to help pranksters, malicious threat actors, and identity thieves as it has great potential for exploitation. See: New Malware Targets Skype Users, Saves Screenshots, Records Conversationsįlorian Kunushevci, the bug hunter who identified the vulnerability ( CVE-2019-0622), claims that a person owning Android phone can receive a Skype call without even unlocking the phone apart from accessing other data.
Once the phone is unlocked, the attacker can view everything from contacts to photos, send SMS messages and may also open browser windows. Here's How Attackers can Exploit this FlawĪccording to the vulnerability report, attackers can craft a malicious image file and then copy and paste it from a clipboard of a computer system into a conversation window in the Skype application.A 19-year old bug hunter has identified a flaw in the Android version of Microsoft’s Skype app, which is exploited can help the attacker access various app functions without needing to go through passcode verification for unlocking the phone. The issue resides in the way Skype uses the 'MSFTEDIT.DLL' file in case of a copy request on local systems. So, an attacker can remotely crash the application "with an unexpected exception error, to overwrite the active process registers," or even execute malicious code on a target system running the vulnerable Skype version. What's worst? The stack buffer overflow vulnerability doesn't require any user interaction, and only require a low privilege Skype user account. In Skype v7.37 the vulnerability is patched," the security firm wrote. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. "The issue can be exploited remotely via session or by local interaction. The vulnerability is considered a high-security risk with a 7.2 CVSS score and affects Skype versions 7.2, 7.35, and 7.36 on Windows XP, Windows 7 and Windows 8, Mejri said in a public security disclosure published on Monday.