Hi, On Wed, 10 Sep 2014 07:50:05 +0200 J. Roeleveld wrote: > > I'm talking about the following research: > > https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact > > =8&ved=0CB4QFjAA&url=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-eur > > ope-06%2Fbh-eu-06-biondi%2Fbh-eu-06-biondi-up.pdf&ei=9jAPVJH1AafnygOOiIHgDg& > > usg=AFQjCNHeILDYY4k-nUUw8vPmUCJ86Eywbg&bvm=bv.74649129,d.bGQ > > > > Of course, skype protocol was likely changed since that time, but I > > really doubt that functionality for remote execution of arbitrary > > code was removed. > > That research was from 2006. Over 8 years ago. > Do you avoid using Bind because of all the security bugs it had in 2006? > What about OpenSSL, that one had a big one not too long ago. > And I'm sure I can find plenty of exploits for the Linux kernel based on the > versions in use in 2006. > > The Skype protocol has changed a lot over the years and older versions of the > protocol have been deprecated and removed.
There is a large difference between mistake, bug and deliberately added functionality. As research shows, remote code execution was deliberately added. What was a bug is a mistake that allowed third-party to use this feature without proper keys. > If it is still in there, I'm certain it would be known, considering the > amount > of people using Skype these days. Ablosute majority of these people are not IT specialists and even for those that are, skype is extremely hard to decrypt, diassemble and study, as one can see from the work above. Most probably that nobody cares to spend several months of full-time employment to analyze modern skype versions again. Best regards, Andrew Savchenko
pgpX4weNr1fq4.pgp
Description: PGP signature
