Vulnerability ID 4142

Skype Client 2.8 on Mac Chat Unicode Handler Eingabeungültigkeit

CVSSv3 Temp ScoreCurrent Exploit Price (≈)
4.2$2k-$5k

A vulnerability, which was classified as problematic, has been found in Skype Client 2.8 on Mac. Affected by this issue is an unknown function of the component Chat Unicode Handler. The manipulation with an unknown input leads to a eingabeungültigkeit vulnerability. Impacted is confidentiality, and integrity.

The bug was discovered 05/09/2010. The weakness was disclosed 06/21/2010 by Marc Ruef with scip AG. The advisory is shared for download at scip.ch. The attack may be launched remotely. Technical details are unknown but a public exploit is available.

After even before and not, there has been an exploit disclosed. The exploit is shared for download at developer.skype.com. The vulnerability was handled as a non-public zero-day exploit for at least 43 days. During that time the estimated underground price was around $10k-$25k.

Applying a patch is able to eliminate this problem. The bugfix is ready for download at skype.com. The problem might be mitigated by replacing the product with as an alternative. The best possible mitigation is suggested to be establishing an alternative product.

securityfocus.com is providing further details.

CVSSv3

Base Score: 4.2 [?]
Temp Score: 4.2 [?]
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:X/RL:U/RC:X [?]
Reliability: Medium

CVSSv2

Base Score: 3.6 (CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:N) [?]
Temp Score: 3.6 (CVSS2#E:ND/RL:U/RC:ND) [?]
Reliability: Medium

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Eingabeungültigkeit
Local: No
Remote: Yes

Availability: Yes
Access: Public
Download: developer.skype.com

Current Price Estimation: $10k-$25k (0-day) / $2k-$5k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k

Countermeasures

Recommended: Alternative
Status: Not available
0-Day Time: 43 days since found

Patch: skype.com

Timeline

05/09/2010 Vulnerability found
05/10/2010 +1 days Exploit disclosed
06/21/2010 +42 days Advisory disclosed
06/21/2010 +0 days VulDB entry created
07/02/2010 +11 days OSVDB entry created
12/03/2015 +1980 days VulDB entry updated

Sources

Advisory: scip.ch
Researcher: Marc Ruef
Organization: scip AG
OSVDB: 65974 - Skype for Mac OS X Chat Unicode Handling Remote DoS

Misc.: securityfocus.com

Entry

Created: 06/21/2010
Updated: 12/03/2015
Entry: 81.8% complete