|
Gartner Slams Skype - Again |
|
|
|
Written by Adam Gosling
|
|
Thursday, 01 June 2006 |
|
Page 1 of 2
A recent bug in Skype, discovered by Australia security research outfit Security-Assessment has prompted industry analyst firm GartNer to speak out against the peer-2-peer (p2P) software once more.
In an online research note, Gartner analyst Lawrence Orans said corporates need to “Act Now to Combat the Growing Skype Security Threat”.
He wrote that the 19 May security issue was tagged as "medium risk" by the broadband phone provider. It was recommended that users and customers to upgrade to the most recent version of the softphone client to fix the problem.The vulnerability notice notes that a flaw in the software would allow an attacker to transfer a single, named file from a victim’s PC.
However, the victim must first be tricked into visiting a malicious Web site under control of the attacker, and the attacker must know the location of the requested file on the victim’s machine.But Orans correctly notes that this follows three vulnerabilities discovered last year two of which were classified as high-risk (one was rated only as low-risk).
Orans says that the string of vulnerabilities “highlights the risk of not establishing and implementing an enterprise policy for Skype. Although the VoIP software has become very popular amongst users, some network security administrators are more cautious about the free IP Telephony software.
“Because the Skype client is a free download, it is widely used and most businesses have no idea how many Skype clients are installed on their systems or how much Skype traffic passes over their networks,” he wrote.In part Orans’ problem with Skype was the handling of the issue.
When users with a vulnerable client sign on to Skype, they receive a prompt suggesting they upgrade to the most recent version, but are not warned about the vulnerability or the associated risks, he notes saying that they are still allowed to access the service even though they have a vulnerable client.“
In contrast, Microsoft immediately restricted access to its MSN Messenger instant messaging (IM) service in 2005 when it discovered a vulnerability in its IM client.
Only users with an updated and non-vulnerable client were allowed to access the service, which meant Microsoft essentially performed the vulnerability management process on behalf of businesses.“
Skype provides no such protection”, he wrote.
<< Start < Prev 1 2 Next > End >>
|
|
|
|
