Typing 'http://:' Into a Skype Message Trashes the Installation Beyond Repair

An anonymous reader writes: A thread at the Skype community forums has brought to light a critical bug in Microsoft's Skype clients for Windows, iOS and Android: typing the incorrect URL initiator http://: into a text message on Skype will crash the client so badly that it can only be repaired by installing an older version and awaiting a fix from Microsoft. The bug does not affect OS X or the 'Metro'-style Windows clients — which means, effectively, that Mac users could kill the Skype installations on other platforms just by sending an eight-character message.

Wow ...

[gstoddart]

Good job guys!!

I'm not even sure I've heard of an error condition which required a full uninstall.

I predict many people will be sending that string today. I also predict someone will attempt to charge the people sending it with criminal hacking.

Keep up the good work.

Really?

[TWX]

It's been fifteen years since I as a very, very junior quality assurance engineer had to calmly walk over to the software developers that were working on communications protocols and explain to them that while their protocols (POP3 and SMTP in this case) only truly needed to meet current RFC as far as their list of implemented commands and features was concerned, they had to be able to gracefully handle any and all non-RFC data that they received, even if only to cleanly reject it with an error or to terminate the connection. Instead the implementations would crash hard, requiring the system manager on the platform to detect that they'd gone down in a ball of flames and restart them. They couldn't understand how non-RFC stuff would be sent, even to the point of not understanding how deprecated commands from previous RFCs might stil be in-practice, let alone all of the various possible reasons that either accidental garbage or intentional sending of garbage to try to break-in could be the case.

That such problems as basic as incorrectly typed URLs could break Skype is beyond understanding. This should have been sanity-checked as part of the regular process of handling a URL, and in this particular case probably simply autocorrected and attributed to user ignorance.

Re:Really?

[gstoddart]

That such problems as basic as incorrectly typed URLs could break Skype is beyond understanding.

I don't think it's beyond understanding. Not even a little.

Microsoft has always been pioneers of the "let's try to embed 'smarts' in stuff to make it cooler and friendlier to use" kind of thing.

Autorun on media, for instance has caused a lot of problems with things like viruses and rootkits.

Hell, Microsoft pioneered the technology which meant you could get a virus without opening the attachment of an email -- and up until then people had been saying "no, you can't get a virus simply from clicking on the email unless you run the attachment". Then Microsoft went straight to running the attachment and proved them wrong.

Microsoft tries so hard to coat the world in eye candy and do things for the user that they often go straight to the "well, you clearly want me to run that".

So in this case it probably went "ZOMG, teh URL" and jumped to running some code.

I have found over the years Microsoft's zeal to have dynamic, flashy content often means they create things which make for terrible robustness.

Like their widgets and live desktop stuff they've now had to deprecate on no less than three different platforms that I'm aware of because it was a giant security hole.

They put in a feature which says "wow, we'll just run this stuff because it's awesome", only to run smack into the wall of "but it's also dangerous".

Re:Really?

[gstoddart]

I would argue that a failure to catch an un-enumerated exception is neither correctness, nor keeping it running.

However, I've heard the argument about the elegance and beauty of letting it crash because it's a real defect which should be identified ... I just disagree that an ungraceful failure is the way to do it.

I hope the people writing self-driving cars don't have the idiotic mindset that if they haven't enumerated the error it should be allowed to fail spectacularly.

The reality is, in the real world when software doesn't fail gracefully, some smug idiot of a developer who said you shouldn't catch things you didn't anticipate isn't there to clean up his mess. So his damned "correctness" becomes an aesthetic thing which is useless.

That's just defective by design, because either your design is 100% perfect and infallible, or it's pretty and elegant but is a crash waiting to happen.

Reality seldom conforms to the pre-planned expectations of the guys who built the product.

"Correctness" isn't correct if it can't account for incomplete correctness. It's lazy and ideological.

Re:Oh well

[gstoddart]

Crashing is one thing.

Parsing input data sufficiently badly as to require an uninstall? That's pretty epic.

Does it affect the Linux client?

[kervin]

Is this still Slashdot? Do we still like, or report on Linux anymore?

Re:Oh well

[Njorthbiatr]

This. So much this.

I usually defend MS against people who I believe unfairly attack them, but you've really struck a nerve.

I don't know what team is responsible for Skype, but they have done such a mind boggling horrible job I'm half convinced they're intentionally trying to kill it, cut it into small pieces, then burn the remains before firing the ashes into the nearest black hole.

Every single version they push out has been worse than the last, and the last good version was 6.18. I loathe the day when they finally kill this version to force people into their newer, more broken, buggy, and less featured version. And to boot it wasn't enough that they started forcing people to update by patching it through Windows Update. I started my computer one day to find Skype completely uninstalled -- all because of Windows Update (which I now review for all updates after this tragic experience). Somehow it managed to uninstall itself and then couldn't reinstall itself because I replaced the update file with a dummy.

They keep removing features but *promise* to put them back in... And even years later the features still haven't back in added. But hey that's okay because now Skype can use even larger emoticons. Well fucking thanks for that useless fucking feature. That's all Skype gets nowadays, useless improvements and worse performance. The calls I get with 6.18 are perfect but with any version 7 I may as well just write letters and send them through the mail.

Oh but wait they changed the UI to be even worse! Now you have chat bubbles for some stupid fucking reason.

Microsoft we deserve an explanation for this total fucking incompetence. Maybe you should hire actual software developers instead of monkey interns who think smashing their face into a keyboard is an acceptable way to write software.