Concerned at the potential network security risks, Orans goes on to advise businesses to assess the risk of allowing Skype on their network and then “take appropriate action”.
“The most secure option is to block Skype traffic completely,” he concludes, saying that if a business decides to allow Skype use, it must proactively manage version control of the client software.
The vulnerability, confirmed by Skype, could allow users to “retrieve” files from other Skype users through unauthenticated connections due to a flaw present in the Uniform Resource Identifiers. The exploit was only effective it the victim was using Internet Explorer.
The attacker needed to authorize the victim by adding them to their to the attacker’s contact list. The attack did not require the authorisation of the attacker by the victim according to reports.
Although the Australian security researcher discovered the fault in early May, it did not go public with its discovery until Skype contacted Security-Assessment to inform it they had a patch prepared.