CVE-2017-9948 is a stack buffer overflow vulnerability recently discovered in Microsoft Skype 7.2, 7.35, and 7.36 before 7.37. The Skype flaw involves MSFTEDIT.DLL mishandling of remote RDP clipboard content within the message box, as explained by researchers. The highly severe vulnerability was disclosed on 16th of May, 2017, as apparent by the following documentation.
CVE-2017-9948 Technical Details
This Skype vulnerability is remotely exploitable via a session or by local interaction. The issue resides in the print clipboard format & cache transmit via remote session. Affected systems are Windows XP, Windows 7, Windows 8 and Windows 10. Keep in mind that the vulnerability was addressed and patched in Skype v7.37.
In short, the flaw allows to crash the Skype app with an unexpected exception error which overwrites the active process registers to execute malicious code.
The security vulnerability is located in the `clipboard format` function of the skype software. Attackers are able to use a remote computer system with a shared clipboard, to provoke a stack buffer overflow on transmittion to skype. The issue affects the `MSFTEDIT.DLL` dynamic link library of the windows8 (x86) operating system. The limitation of the transmitted size and count for images via print of the remote session clipboard has no secure limitations or restrictions.
CVE-2017-9948 allows local or remote attackers to execute own codes on the affected and connected systems via Skype.
CVE-2017-9948 Fixed in v7.2, v7.3.5 & v7.3.6 Skype Versions
“In a software update of the v7.2, v7.3.5 & v7.3.6 version of Skype, a limitation has been implemented for the clipboard function”, researchers explain. Users of older versions of Skype are advised to update to the latest version as soon as possible to avoid becoming victims of malicious attacks.
Also, it’s important to note that the security risk associated with this flaw is high, as the exploitation of the buffer overflow software vulnerability requires no user interaction and only a low privilege Skype user account.