Peer-to-peer phone company Skype has updated its Internet telephony software, patching a critical flaw in its client for Microsoft Windows-based systems.
The vulnerability could allow attackers to take control of a Skype user's PC after the victim clicks on a specially created URL, security information provider Secunia said Monday. By including a long string of characters in the link, the attacker could trigger a memory error known as a buffer overflow that could then be exploited to run a program.
"Successful exploitation may allow execution of arbitrary code," Secunia said. It has ranked the flaw as "highly critical"—its second-highest rating.
Skype acknowledged the security hole in its release notes for the update. "We became aware of a security threat late last week and moved to correct it," said Kelly Larabee, a spokeswoman for Skype. "We encourage users to download the latest version."
Skype's software enables people to use the Internet to place voice calls. Calls to other Internet phone users are free, while calls to traditional phones and mobile phones are charged a per-minute fee. More than 34 million people have downloaded the software, and as many as 1 million people have used the service simultaneously, according to a posting on Skype's Web site.
Skype's voice over Internet Protocol (VoIP) client runs on Windows XP, Mac OS X, Linux and Microsoft PocketPC.
Secunia also recommended that Skype users update to the latest version of the VoIP software.