Slashdot Mirror
Typing 'http://:' Into a Skype Message Trashes the Installation Beyond Repair
An anonymous reader writes: A thread at the Skype community forums has brought to light a critical bug in Microsoft's Skype clients for Windows, iOS and Android: typing the incorrect URL initiator http://: into a text message on Skype will crash the client so badly that it can only be repaired by installing an older version and awaiting a fix from Microsoft. The bug does not affect OS X or the 'Metro'-style Windows clients — which means, effectively, that Mac users could kill the Skype installations on other platforms just by sending an eight-character message.
It's hardly the only thing that causes Skype to crash, and work intermittently at best, and to be fair, it actually started before Microsoft bought them.
He tried to kill me with a forklift!
Good job guys!!
I'm not even sure I've heard of an error condition which required a full uninstall.
I predict many people will be sending that string today. I also predict someone will attempt to charge the people sending it with criminal hacking.
Keep up the good work.
Lost at C:>. Found at C.
Well, my guess would be that they tokenize by the port separator ':' before doing validation of the URL, and end up performing network operations on empty strings. How in the world that break the installation, I have no clue. It may be that it caches the convo, and on trying to read the cache again it breaks? Maybe not.
http://community.skype.com/t5/Windows-desktop-client/Skype-Fix-for-crashes-caused-by-bad-URL/td-p/3997463
It's been fifteen years since I as a very, very junior quality assurance engineer had to calmly walk over to the software developers that were working on communications protocols and explain to them that while their protocols (POP3 and SMTP in this case) only truly needed to meet current RFC as far as their list of implemented commands and features was concerned, they had to be able to gracefully handle any and all non-RFC data that they received, even if only to cleanly reject it with an error or to terminate the connection. Instead the implementations would crash hard, requiring the system manager on the platform to detect that they'd gone down in a ball of flames and restart them. They couldn't understand how non-RFC stuff would be sent, even to the point of not understanding how deprecated commands from previous RFCs might stil be in-practice, let alone all of the various possible reasons that either accidental garbage or intentional sending of garbage to try to break-in could be the case.
That such problems as basic as incorrectly typed URLs could break Skype is beyond understanding. This should have been sanity-checked as part of the regular process of handling a URL, and in this particular case probably simply autocorrected and attributed to user ignorance.
Do not look into laser with remaining eye.
Nuff said
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
There's a new version up that fixes the bug, so the point is moot.
Is this still Slashdot? Do we still like, or report on Linux anymore?
Around about 2011 I was using the Oxygen XML Editor, and noticed that every time I performed a certain function (I don't recall which, schema validation or something) that Skype would crash. This was on OSX, prior to the current version with the dressed up UI.
If it acquires resources on instantiation like a duck, then its a shared_ptr<Duck>
If someone says that a bug trashes an application so badly that the "only" way to fix it is reinstalling the program, they are usually mistaken, at least for programs and OSes that don't rely on signed code or similar mechanisms that thwart partial repairs.
I see this bug has a fix. If it did not, you could probably make your own fix by doing a before-and-after comparison of key files and key regristry/system settings, then publish your results.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Why does anyone use Skype knowing its backdoored and every thing they say and do is recorded??
Now if only I knew someone who uses Skype chat...
these are the programmers getting paid the big bucks because of their supposed skills.
People on here can whine all they want about companies not paying programmers more, but when you have situations like this it's clear why those companies aren't doing so.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
I don't understand how Skype grew to such dominance in the ip communication field while being such a bad piece of software. I've been helping users improve their computer's abysmal performance by uninstalling Skype for years.
What does Skype do better than everyone else? Why is it so popular? Is it just the network effect, or does it have actual good points to offset the bad?
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
Hilarious. Keep up the good work guys.
http://:community.skype.com/t5/Windows-desktop-client/Critical-bug-Skype-7-4-85-102-simple-message-crush-client/td-p/3996419
edit: Slashdot seems to be auto-fixing the HREF links... damnit.
Get free satoshi (Bitcoin) and Dogecoins
Please give a warm welcome to the new 'Skype Killer' emoticon.
When someone says, "Any fool can see
Speaking of it being crap. It's gone totally to shit recently in terms of network usage.
Time was I could make skype calls over HSPDA. These days it's impossibly bad. Anyone know a good cross platform voip system that works over 3G and supports conference calls?
Oh also, if there's a long backlog of chat messages about one time in 20, skype will basically fuck up and be unable to sync them. The solution seems to be to blow away all config data (i.e. equivalent to reinstalling) and reinstall it.
Lovely.
SJW n. One who posts facts.
No, moot has left 4chan.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Sounds like the fundamental logic flaw is in automatically restoring what Skype was doing when it crashed. In this case, it if crashed once, it will do it again. I've hit that in the past when a web browser hit a bad web page that crashed it, and rebooting the browser tried to open the web page that crashed it. With browsers, opening a page usually is slow enough that you can close the page before it crashes again.
Who could have expected a "http://" string in an IM text?!?!
The install isn't broken in that sense. There are no corrupted files or registry key or anything like that. The cached conversation with the broken string in it is processed on startup.
The conversations are stored online, so you have no way to get rid of it locally. Whenever you start up Skype, it's going to download that recent conversation and process that string, hit the bug again and crash.
Finally a reason for me to use Skype again.
Any thoughts on why it happens to be the URL prefix that does this? Was this some attempt at incorporating web page pushes using the messenger that went horribly wrong?
Have gnu, will travel.
Don't worry, folks! It's not a bug, it's a feature!
Casablanca, now that brings back memories. For awhile you pretty much had to operate with $IM_OFF if you didn't want to get GPF'd into oblivion every couple of minutes.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
You do not understand anything of what I wrote, and in an epic way... I am hitting some nerve here? I did not write at any time about security, I'm talking about programming experience and good sense that the "generation Web" seens to lack and the worst part is that they seem not to care about such gaps.
Religion: The greatest weapon of mass destruction of all time
You are smoking crack. Web developers, those writing crappy PHP websites or just straight HTML do not have a clue about security. Those writing enterprise apps at least know what the word means, but the general web page developer still does exactly 0 security work.
The cesspool just got a check and balance.
Yeah unlike desktop developers, any decent web developer KNOWS that their code will be attacked all the time, and designs it appropriately.
Most web developers aren't decent, and don't know how to design their code securely.
"First they came for the slanderers and i said nothing."
That's funny because the vast majority of web developers that I've come across have thought that they just needed to validate the input using JavaScript in the browser and leave it at that.
We now know where little Bobby Tables interned last summer.
Well, those writing just straight HTML don't need to know much about security because that's not HTML's job. As for the PHP monkeys: It depends. Does the monkey use words like "Suhosin" and refuse to use a PHP older than 5.5 because that's when bcrypt became part of the standard library? Then there's a chance they actually do care about security. On the other hand, if they talk about writing WordPress plugins there's a fair chance they've given up Visual Basic development because they weren't smart enough for that.
It's a bit better with other languages; people who do their web development in Python or Ruby are usually a bit smarter than PHP monkeys (though not neccessarily smart enough to leave web development for pastures with bigger paychecks).
Disclaimer: I am a former PHP monkey. And what I said about WordPress plugin developers was far too kind.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
FTA: Update on June 3: Skype has fixed the bug, and in under than 24 hours no less. “We are aware of a Skype issue and have rolled out updates for all impacted products,” a Skype spokesperson told VentureBeat.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Error 1201 was not enumerated but luckily someone had read the system documentation https://www.hq.nasa.gov/alsj/a...
I mean, Skype has always had troubles, but seriously simply entering http:/// causes not just a message crash, but wrecks the program! This is amazingly bad for a freshman project, much less an "enterprise" ready program from a major vendor.
Steven
Which has what to do with Skype?
"So long and thanks for all the fish."
Style, the way of thinking when developing your application. Notice how the older versions of Skype and MSN Messenger bothered trying do the job right and worried about the details. Now notice how the newest versions seem made by someone who only cares about making interfaces that make sense only to him, not caring about details and nastily doing the basic work for which the application was made. As if you took a professional developer and swapped him for an amateur with no experience in making professional applications and having more ego than skill.
Religion: The greatest weapon of mass destruction of all time
I forgot to add this in my previous comment. I said "generation Web" because adding to what I wrote earlier, to me the interface of the current crop of applications looks a lot like something you would do if all you know is making web pages and having no experience with anything other than that.
Religion: The greatest weapon of mass destruction of all time
That ties it in better. I was curious where you were going with that.
"So long and thanks for all the fish."
Ideally web developers will not be developing applications. This is ideal and, as such, is unlikely to be true.
"So long and thanks for all the fish."
What would also be nice is if they fixed the issue that all URLs are converted to hyperlinks and stop discriminating on top level domains.
I am part of a community wireless network which runs its own DNS where the top level domain is .wan
Pasting a URL into skype does not turn it into a hyperlink for the recipient like other URLs do. The recipient has to manually copy and paste the text into their browser.
It may not be HTML's job, but certain basics still need to be understood, such as where you load JS from, and what you can access when in HTTPS mode versus HTTP, and why those things matter. 99% of HTML "devs" do not understand a thing about those scenarios. Anyone that says Ruby is secure doesn't have a clue. Python? Seriously? They may have started taking it more seriously, but how seriously can you take a system that doesn't even verify certificates in 2015? (Since it was reported in Dec 2014, and I'm guessing it wasn't a 1 day fix)
The cesspool just got a check and balance.
They started to cripple the Linux client as well; since last year it ONLY supports PulseAudio. And it natively supported pure ALSA before that, so it is a feature being removed and replaced with an inferior solution.
Luckily someone created apulse, an emulation layer that allows you to run Skype without the hentai-tentacle-monster known as PulseAudio:
https://github.com/i-rinat/apu...
The best part is how they tout the fact that "Hi there, Skype works without Pulse Audio for features like chat as well as sharing files and photos." on their blog, like anyone would use Skype for the text chat features, and that it would somehow make up for the lost functionality: http://blogs.skype.com/2014/06...
When Google Hangouts was a little popular in my friends, the common theme was that other friends hated Google+, so they would not use it, ever.
I believe in my friend circles, Google Hangouts is used much less.
Meanwhile, Telegram is certainly more popular than Skype in my friend circles for text communications and media sharing now.
Change is certain; progress is not obligatory.
I'm not saying that Ruby and Python are highly secure systems. I'm saying that Ruby and Python web devs are smarter than PHP web devs. They less frequently get ideas like "let's use MD5 for our password hashes in 2015" or "I don't see the problem with opening a new MySQL connection every time I want something from the database". The main reason for that is that web development in Python and Ruby is more difficult than in PHP unless you have a bit of programming experience. Fewer completely green developers mean fewer rookie mistakes.
As for HTML: Yes, although those are most often boundary cases where HTML has to interact with other languages - and where the theoretical pure HTML webdev should talk to the people who use those other languages. In practice, of course, nobody uses HTML alone and thus most webdev do have to deal with JS and server-side security matters. The language itself is pretty safe, it's ecosystem isn't.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
... have the surname Jpg
Hm, and now I wonder why I get strange Skype messages since a week or so ;d
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.