Typing 'http://:' Into a Skype Message Trashes the Installation Beyond Repair

← Back to Stories (view on slashdot.org)

Typing 'http://:' Into a Skype Message Trashes the Installation Beyond Repair

Posted by Soulskill on Wednesday June 3, 2015 @01:50AM from the bug-of-the-year dept.

An anonymous reader writes: A thread at the Skype community forums has brought to light a critical bug in Microsoft's Skype clients for Windows, iOS and Android: typing the incorrect URL initiator http://: into a text message on Skype will crash the client so badly that it can only be repaired by installing an older version and awaiting a fix from Microsoft. The bug does not affect OS X or the 'Metro'-style Windows clients — which means, effectively, that Mac users could kill the Skype installations on other platforms just by sending an eight-character message.

37 of 225 comments (clear)

Min score:

Reason:

Sort:

Oh well by 3.5+stripes · 2015-06-03 01:55 · Score: 4, Interesting

It's hardly the only thing that causes Skype to crash, and work intermittently at best, and to be fair, it actually started before Microsoft bought them.

--

He tried to kill me with a forklift!
1. Re:Oh well by gstoddart · 2015-06-03 02:02 · Score: 5, Insightful
  
  Crashing is one thing.
  Parsing input data sufficiently badly as to require an uninstall? That's pretty epic.
  
  --
  Lost at C:>. Found at C.
2. Re:Oh well by penguinoid · 2015-06-03 02:20 · Score: 5, Funny
  
  Watch out, everybody! There's a new Windows virus going about. See here for more information http://:
  
  --
  Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
3. Re:Oh well by Njorthbiatr · 2015-06-03 02:29 · Score: 5, Insightful
  
  This. So much this.
  I usually defend MS against people who I believe unfairly attack them, but you've really struck a nerve.
  I don't know what team is responsible for Skype, but they have done such a mind boggling horrible job I'm half convinced they're intentionally trying to kill it, cut it into small pieces, then burn the remains before firing the ashes into the nearest black hole.
  Every single version they push out has been worse than the last, and the last good version was 6.18. I loathe the day when they finally kill this version to force people into their newer, more broken, buggy, and less featured version. And to boot it wasn't enough that they started forcing people to update by patching it through Windows Update. I started my computer one day to find Skype completely uninstalled -- all because of Windows Update (which I now review for all updates after this tragic experience). Somehow it managed to uninstall itself and then couldn't reinstall itself because I replaced the update file with a dummy.
  They keep removing features but *promise* to put them back in... And even years later the features still haven't back in added. But hey that's okay because now Skype can use even larger emoticons. Well fucking thanks for that useless fucking feature. That's all Skype gets nowadays, useless improvements and worse performance. The calls I get with 6.18 are perfect but with any version 7 I may as well just write letters and send them through the mail.
  Oh but wait they changed the UI to be even worse! Now you have chat bubbles for some stupid fucking reason.
  Microsoft we deserve an explanation for this total fucking incompetence. Maybe you should hire actual software developers instead of monkey interns who think smashing their face into a keyboard is an acceptable way to write software.
4. Re:Oh well by bill_mcgonigle · 2015-06-03 02:34 · Score: 2
  
  Parsing input data sufficiently badly as to require an uninstall? That's pretty epic.
  What do you want from the NSA contractor sent in to write the install code? Did he get a government job because he could make it in industry?
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
5. Re:Oh well by ArcadeMan · 2015-06-03 02:44 · Score: 2
  
  I missed it, what was that about?
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
6. Re:Oh well by gestalt_n_pepper · 2015-06-03 02:53 · Score: 2
  
  No, I'm pretty sure it's sheer stupidity. I just tried to turn on .net 3.5 framework, which many different software packages require. At the moment, it's almost impossible to do. Microsoft's own security packages have made .net 3.5 almost impossible to install and use.
  For the record, you *can* do it, if you have original media and can run an obscure set of commands through an elevated cmd prompt. I only burned up 2 or 3 hours of otherwise productive time working around yet another "security" issue.
  Security's motto: Our job's not done until you can't do yours.
  
  --
  Please do not read this sig. Thank you.
7. Re:Oh well by TheDarkMaster · 2015-06-03 03:01 · Score: 2
  
  The explanation is that the senior developers are retiring and being replaced by brats who think writing a crappy web page is the same thing as writing a desktop application.
  
  --
  Religion: The greatest weapon of mass destruction of all time
8. Re:Oh well by Anonymous Coward · 2015-06-03 03:30 · Score: 2, Interesting
  
  This. Skype was once independent and peer-to-peer, making it hard to wiretap. Then Microsoft, presumably at the behest of the NSA, bought it and centralized the networking structure.
9. Re:Oh well by AmiMoJo · 2015-06-03 03:51 · Score: 2
  
  It's not as epic as you might think. Skype, like many apps, keeps a message history/log. When it opens it parses that history. Since the bug is in the parser, it crashes when starting up. The only solution is to either remove the log files or go back to an earlier version that doesn't have the buggy parser code.
  It's a not uncommon fault with apps that load data at start-up, which is most of them. For example, I have some industrial logging software made by Picolog that crashes on start-up when you have certain settings, and the only fix is to delete the settings files. I remember games where if you had a corrupt save somewhere it would crash on start-up as it tried to parse available games and display the list.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
10. Re: Oh well by Anonymous Coward · 2015-06-03 04:37 · Score: 2, Funny
  
  They took the indentation war too seriously.
11. Re:Oh well by coinreturn · 2015-06-03 06:18 · Score: 2
  
  You must have missed the IMF / Rootkit issue.. Or ignored it.
  Was that the Impossible Mission Force or the International Monetary Fund?
12. Re:Oh well by KGIII · 2015-06-03 07:22 · Score: 2
  
  With Android, a simple checkbox enables you to install applications from a source other than Google's store. Then search for the version you want, uninstall the version you do not want, and install the version you do want. This is not complex.
  
  --
  "So long and thanks for all the fish."
Wow ... by gstoddart · 2015-06-03 01:56 · Score: 5, Insightful

Good job guys!!
I'm not even sure I've heard of an error condition which required a full uninstall.
I predict many people will be sending that string today. I also predict someone will attempt to charge the people sending it with criminal hacking.
Keep up the good work.

--
Lost at C:>. Found at C.
1. Re:Wow ... by Anonymous Coward · 2015-06-03 02:06 · Score: 5, Informative
  
  I'm not even sure I've heard of an error condition which required a full uninstall.
  I can guess why and I doubt an uninstall would help.
  All you really need to know is that Skype saves conversations and redisplays them when it starts. So you send someone http://:, that triggers the bug, and on restart, it reloads the conversation and crashes again.
  If that's the case, a reinstall won't help, because Skype will just re-download the missed messages and reencounter the bad URL and reenter the crash loop.
  (Presumably the bug is that they see the second ":", decide it's the start of a port, and leave the hostname uninitialized, causing a crash.)
2. Re:Wow ... by _anomaly_ · 2015-06-03 02:16 · Score: 4, Funny
  
  Yeah, pretty epic bug.
  We use Skype for communicating with coworkers (we are a very small company, and all telecommute, so to speak), when the conversation doesn't warrant a phone call (on our IP phones).
  But I'm still very tempted to try it. It's like a big red button that says DO NOT PUSH.
  
  --
  "I have no special gift, I am only passionately curious." - Albert Einstein
3. Re:Wow ... by The+MAZZTer · 2015-06-03 02:17 · Score: 3, Informative
  
  Full uninstall does not fix it. The message crashes Skype just by being in your chat history. Your chat history is stored in the cloud so you can't delete it!
  The only person who can delete it is the sender (assuming they didn't crash themselves). So if it was malicious you're screwed until MS fixes the bug and pushes out an update for the client over Windows Update (at least the good news is they can do this, now).
4. Re:Wow ... by JaredOfEuropa · 2015-06-03 02:25 · Score: 4, Informative
  
  Isn't the history stored on their server? In that case you're SOL.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
5. Re:Wow ... by _xeno_ · 2015-06-03 02:27 · Score: 4, Informative
  
  Yep.
  First thing a new installation of Skype does is download every single message you've received for the past several months, I think.
  I haven't tried deleting a history file (they're actually SQLite databases) but I think the same thing happens in that case: Skype sees that it isn't up to date on messages and redownloads them.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
6. Re:Wow ... by msauve · 2015-06-03 02:30 · Score: 4, Funny
  
  " It's like a big red button that says DO NOT PUSH."
  
  You know that big button near the door in the data center, the one labeled "Halon?" That's French for "exit," so you push that to unlock the door and get out.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
7. Re:Wow ... by The+Grim+Reefer · 2015-06-03 02:48 · Score: 2
  
  Can someone confirm this? Every time I've changed computers, the conversation log starts over for me. I always assumed it was kept on my local system.
8. Re:Wow ... by MobyDisk · 2015-06-03 03:43 · Score: 3, Funny
  
  I don't believe you. You are just trying to lull me into a sense of security to make me do it.
FIXED by Anonymous Coward · 2015-06-03 02:00 · Score: 5, Informative

http://community.skype.com/t5/Windows-desktop-client/Skype-Fix-for-crashes-caused-by-bad-URL/td-p/3997463
Really? by TWX · 2015-06-03 02:00 · Score: 4, Insightful

It's been fifteen years since I as a very, very junior quality assurance engineer had to calmly walk over to the software developers that were working on communications protocols and explain to them that while their protocols (POP3 and SMTP in this case) only truly needed to meet current RFC as far as their list of implemented commands and features was concerned, they had to be able to gracefully handle any and all non-RFC data that they received, even if only to cleanly reject it with an error or to terminate the connection. Instead the implementations would crash hard, requiring the system manager on the platform to detect that they'd gone down in a ball of flames and restart them. They couldn't understand how non-RFC stuff would be sent, even to the point of not understanding how deprecated commands from previous RFCs might stil be in-practice, let alone all of the various possible reasons that either accidental garbage or intentional sending of garbage to try to break-in could be the case.

That such problems as basic as incorrectly typed URLs could break Skype is beyond understanding. This should have been sanity-checked as part of the regular process of handling a URL, and in this particular case probably simply autocorrected and attributed to user ignorance.

--
Do not look into laser with remaining eye.
1. Re:Really? by gstoddart · 2015-06-03 02:16 · Score: 4, Insightful
  
  That such problems as basic as incorrectly typed URLs could break Skype is beyond understanding.
  
  I don't think it's beyond understanding. Not even a little.
  Microsoft has always been pioneers of the "let's try to embed 'smarts' in stuff to make it cooler and friendlier to use" kind of thing.
  Autorun on media, for instance has caused a lot of problems with things like viruses and rootkits.
  Hell, Microsoft pioneered the technology which meant you could get a virus without opening the attachment of an email -- and up until then people had been saying "no, you can't get a virus simply from clicking on the email unless you run the attachment". Then Microsoft went straight to running the attachment and proved them wrong.
  Microsoft tries so hard to coat the world in eye candy and do things for the user that they often go straight to the "well, you clearly want me to run that".
  So in this case it probably went "ZOMG, teh URL" and jumped to running some code.
  I have found over the years Microsoft's zeal to have dynamic, flashy content often means they create things which make for terrible robustness.
  Like their widgets and live desktop stuff they've now had to deprecate on no less than three different platforms that I'm aware of because it was a giant security hole.
  They put in a feature which says "wow, we'll just run this stuff because it's awesome", only to run smack into the wall of "but it's also dangerous".
  
  --
  Lost at C:>. Found at C.
2. Re:Really? by scamper_22 · 2015-06-03 02:27 · Score: 4, Interesting
  
  It's often not even ignorance. Sometimes there is a mentality of correctness over keeping it running.
  Never is this more of a debate that in exception handling.
  I've worked in places where it was against the gods if you simply had a catch( Exception e). You had to *know* which exceptions you are catching and then catch each one separately.
  The keep it running in me is annoyed because there's always some possibility of a runtime Exception or that we miss something and then it crashes instead of just failing that one operation.
  The reason given was it is better for us to find out the exception and then fix the code, than to mask it with a catch all.
  To each his own, but it's definitely not as simple as ignorance.
  I've fought a lot of battles writing the software. I can tell its often the case of correctness versus keep it running.
3. Re:Really? by gstoddart · 2015-06-03 02:36 · Score: 4, Insightful
  
  I would argue that a failure to catch an un-enumerated exception is neither correctness, nor keeping it running.
  However, I've heard the argument about the elegance and beauty of letting it crash because it's a real defect which should be identified ... I just disagree that an ungraceful failure is the way to do it.
  I hope the people writing self-driving cars don't have the idiotic mindset that if they haven't enumerated the error it should be allowed to fail spectacularly.
  The reality is, in the real world when software doesn't fail gracefully, some smug idiot of a developer who said you shouldn't catch things you didn't anticipate isn't there to clean up his mess. So his damned "correctness" becomes an aesthetic thing which is useless.
  That's just defective by design, because either your design is 100% perfect and infallible, or it's pretty and elegant but is a crash waiting to happen.
  Reality seldom conforms to the pre-planned expectations of the guys who built the product.
  "Correctness" isn't correct if it can't account for incomplete correctness. It's lazy and ideological.
  
  --
  Lost at C:>. Found at C.
4. Re:Really? by ComputerGeek01 · 2015-06-03 02:57 · Score: 4, Interesting
  
  As a Sys Admin, and therefore your consumer, I couldn't care less if you fail hard or try to recover. But LOG THE GOD DAMN ERROR FOR WHAT IT IS FIRST! There is nothing more mind bogglingly useless then some dip-shit programmer who things "Duh, the user should just keep trying until it works. I don't need to prompt them with anything more then 'ERROR: An Error Has Occurred'". Or even worse is the crowd of useless knuckle draggers who think that catching an exception and doing absolutely nothing in the interest of 'keeping things running' is the right course of action everytime. I don't need to see your code, I already know it sucks. Otherwise it would have been too expensive for my employers to want to purchase. But at least tell us where it is failing.
little Bobby Tables strikes back by dunkelfalke · 2015-06-03 02:02 · Score: 4, Funny

Nuff said

--
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
1. Re:little Bobby Tables strikes back by TWX · 2015-06-03 02:10 · Score: 3, Interesting
  
  I showed that strip to a friend of mine that maintains the DB for a school district's enrollment system. She laughed. Then she got into the system and checked how that was coded...
  
  --
  Do not look into laser with remaining eye.
Does it affect the Linux client? by kervin · 2015-06-03 02:05 · Score: 3, Insightful

Is this still Slashdot? Do we still like, or report on Linux anymore?
1. Re:Does it affect the Linux client? by suso · 2015-06-03 02:10 · Score: 2
  
  Well of course it doesn't affect the archaic version of Skype provided for Linux as a courtesy by Microsoft.
  Seriously though, just tested it, it doesn't seem to be affected. The nice thing about how it works in Linux is that you can just backup your .Skype folder beforehand and restore it if there is a problem.
Re:Why Skype? by ModelX · 2015-06-03 02:27 · Score: 2

I don't understand how Skype grew to such dominance in the ip communication field while being such a bad piece of software. I've been helping users improve their computer's abysmal performance by uninstalling Skype for years.
What does Skype do better than everyone else? Why is it so popular? Is it just the network effect, or does it have actual good points to offset the bad?
Skype grew to dominance because it was really good at getting around all kinds of firewalls.
Re:Why Skype? by Ash-Fox · 2015-06-03 02:45 · Score: 2

What does Skype do better than everyone else?

It provides international VOIP telephony fairly reliable and free. Works around most networking issues too. It's a shame the current generations of the software are quite slow.

--
Change is certain; progress is not obligatory.
Re: Remember folks... by Fwipp · 2015-06-03 03:04 · Score: 2

Nope. The problem was that it crashes when trying to read your logs, and if it didn't have the logs it would fetch them from the server.
Re:Web developers know they'll be attacked by Gr8Apes · 2015-06-03 04:30 · Score: 2

You are smoking crack. Web developers, those writing crappy PHP websites or just straight HTML do not have a clue about security. Those writing enterprise apps at least know what the word means, but the general web page developer still does exactly 0 security work.

--
The cesspool just got a check and balance.
UPDATE - Bug has just been fixed. by schneidafunk · 2015-06-03 05:51 · Score: 3, Informative

FTA: Update on June 3: Skype has fixed the bug, and in under than 24 hours no less. “We are aware of a Skype issue and have rolled out updates for all impacted products,” a Skype spokesperson told VentureBeat.

--
Some people die at 25 and aren't buried until 75. -Benjamin Franklin