Poor Skype. They started out last week with the best of intentions, releasing what they called an independent security evaluation of their VOIP product, and ended up with egg on their virtual faces as high risk security vulnerabilities came to light.

Skype, based in Luxembourg, has positioned its VOIP product as superior to any one else's in the field because the voice data is encrypted. Since Skype hasn't made its encryption scheme public, this has led to some questions on just how secure it is (and how much of a Calera backdoor was built in.) The author of the report, Tom Berson of Anagram Labs, is well respected in the security field and would seem to be a good choice to author such a reassuring effort.

Of course, to make matters worse, vulnerabilities in the code showed up at the same time as the report's release. Skype says that the vulnerabilities affect Skype software for Windows, Mac OS X, Linux and Pocket PC. Skype goes on to say, "Skype can be made to execute arbitrary code through a buffer overflow when Skype is called upon to handle malformed URLs that are in Skype-specific URI types callto:// and skype://." Also, Skype could launch malicious code "during importation of a VCARD that is in a specific non-standard format."  "Full Article"