The German security firm, Vulnerability Lab, found a bug with stack buffer overflows in Skype. This vulnerability can cause Skype to crash. It can also allow for Remote Code Execution. The vulnerability is listed on the CVE (Criticial Vulnerabilities and Exposures) database as: CVE-2017-9948.
The exploit revolves around image processing of the Windows clipboard, and can be invoked locally, or remotely while in a session. An attacker can craft a malicious image file and then copy and paste it from the clipboard into a conversation window in the Skype application.
Once this image is loaded into both the local and remote clipboards, Skype experiences a stack buffer overflow, which crashes the application. This leaves the door open for more exploit options.
The problem occurs because of the way that Skype handles the MSFTEDIT.DLL library. For those that want more detail, the original article from Vulnerability Labs is here. This is yet another example of the continuing problems with Image processing by Windows.
This affects most versions of Skype, from 7.2, to 7.35 and 7.36 and was reported on May 16, 2017. Proof-of-Concept code was also provided at that time. Microsoft quickly fixed it and has released a new version of Skype on June 8th, 2017, verson 7.37.178.
Users should upgrade the Skype application as soon as possible.