Skype 'Extras Manager' vuln found In The Wild...
- http://www.m86securi...trace.1347~.asp
June 16, 2010 - "On October 12th, 2009, Skype released an updated version (4.1.0.179) of their popular VoIP client, which fixed an unspecified vulnerability in their plug-in component for Skype called EasyBits Extras Manager. The EasyBits software is intended to protect commercial software, such as plug-ins, from illegal redistribution or unlicensed use... Vulnerability disclosures are one of the most common ways cybercriminals craft their exploits, including those seen in the exploit kits themselves. In this scenario, our Security Labs team has identified a working exploit in the wild that targets this vulnerability... the malicious code exploits a Skype ActiveX vulnerability using primitive obfuscation techniques in order to bypass Antivirus security solutions. We can confirm this exploit code works successfully against vulnerable Skype installations. Testing this exploit page with VirusTotal, illustrates the dismal results (1/41 - 2.44%)... It is interesting to note that within Skype's own release notes for the security vulnerability, they provide a recommendation to their users to "use virus protection services in case of any problems." Unfortunately for those users, the virus protection would have failed. However, the core issue here is not the antivirus solution's ability to mitigate this threat, but the fact that the update process remains problematic for many companies. Many users continue to run outdated applications for months, even years, and these old versions continue to be exploited by cybercriminals. Even with the disclosure and security fixes provided by application developers, cybercriminals know that most users rarely update, making it not only easy but beneficial to monitor sites that post disclosures and proof of concept code. Ask yourself: Do you know what version of Skype you're running?"
- http://secunia.com/v...ine/?task=start
Edited by AplusWebMaster, 16 June 2010 - 06:12 AM.