| 1 |
Hi, |
| 2 |
|
| 3 |
On Wed, 10 Sep 2014 07:50:05 +0200 J. Roeleveld wrote: |
| 4 |
> > I'm talking about the following research: |
| 5 |
> > https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact |
| 6 |
> > =8&ved=0CB4QFjAA&url=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-eur |
| 7 |
> > ope-06%2Fbh-eu-06-biondi%2Fbh-eu-06-biondi-up.pdf&ei=9jAPVJH1AafnygOOiIHgDg& |
| 8 |
> > usg=AFQjCNHeILDYY4k-nUUw8vPmUCJ86Eywbg&bvm=bv.74649129,d.bGQ |
| 9 |
> > |
| 10 |
> > Of course, skype protocol was likely changed since that time, but I |
| 11 |
> > really doubt that functionality for remote execution of arbitrary |
| 12 |
> > code was removed. |
| 13 |
> |
| 14 |
> That research was from 2006. Over 8 years ago. |
| 15 |
> Do you avoid using Bind because of all the security bugs it had in 2006? |
| 16 |
> What about OpenSSL, that one had a big one not too long ago. |
| 17 |
> And I'm sure I can find plenty of exploits for the Linux kernel based on the |
| 18 |
> versions in use in 2006. |
| 19 |
> |
| 20 |
> The Skype protocol has changed a lot over the years and older versions of the |
| 21 |
> protocol have been deprecated and removed. |
| 22 |
|
| 23 |
There is a large difference between mistake, bug and deliberately |
| 24 |
added functionality. As research shows, remote code execution was |
| 25 |
deliberately added. What was a bug is a mistake that allowed |
| 26 |
third-party to use this feature without proper keys. |
| 27 |
|
| 28 |
> If it is still in there, I'm certain it would be known, considering the amount |
| 29 |
> of people using Skype these days. |
| 30 |
|
| 31 |
Ablosute majority of these people are not IT specialists and even |
| 32 |
for those that are, skype is extremely hard to decrypt, diassemble |
| 33 |
and study, as one can see from the work above. Most probably that |
| 34 |
nobody cares to spend several months of full-time employment to |
| 35 |
analyze modern skype versions again. |
| 36 |
|
| 37 |
|
| 38 |
Best regards, |
| 39 |
Andrew Savchenko |
Archives