1 |
Hi, |
2 |
|
3 |
On Wed, 10 Sep 2014 07:50:05 +0200 J. Roeleveld wrote: |
4 |
> > I'm talking about the following research: |
5 |
> > https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact |
6 |
> > =8&ved=0CB4QFjAA&url=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-eur |
7 |
> > ope-06%2Fbh-eu-06-biondi%2Fbh-eu-06-biondi-up.pdf&ei=9jAPVJH1AafnygOOiIHgDg& |
8 |
> > usg=AFQjCNHeILDYY4k-nUUw8vPmUCJ86Eywbg&bvm=bv.74649129,d.bGQ |
9 |
> > |
10 |
> > Of course, skype protocol was likely changed since that time, but I |
11 |
> > really doubt that functionality for remote execution of arbitrary |
12 |
> > code was removed. |
13 |
> |
14 |
> That research was from 2006. Over 8 years ago. |
15 |
> Do you avoid using Bind because of all the security bugs it had in 2006? |
16 |
> What about OpenSSL, that one had a big one not too long ago. |
17 |
> And I'm sure I can find plenty of exploits for the Linux kernel based on the |
18 |
> versions in use in 2006. |
19 |
> |
20 |
> The Skype protocol has changed a lot over the years and older versions of the |
21 |
> protocol have been deprecated and removed. |
22 |
|
23 |
There is a large difference between mistake, bug and deliberately |
24 |
added functionality. As research shows, remote code execution was |
25 |
deliberately added. What was a bug is a mistake that allowed |
26 |
third-party to use this feature without proper keys. |
27 |
|
28 |
> If it is still in there, I'm certain it would be known, considering the amount |
29 |
> of people using Skype these days. |
30 |
|
31 |
Ablosute majority of these people are not IT specialists and even |
32 |
for those that are, skype is extremely hard to decrypt, diassemble |
33 |
and study, as one can see from the work above. Most probably that |
34 |
nobody cares to spend several months of full-time employment to |
35 |
analyze modern skype versions again. |
36 |
|
37 |
|
38 |
Best regards, |
39 |
Andrew Savchenko |