As this bug is now patched so not to worry much about that but still it matters to IT pros.

Skype acknowledged Tuesday that all its VoIP (Voice over Internet Protocol) clients suffer from bugs that leave machines susceptible to crashes and/or open them to attacks that could take control of the computers. But even as it patched the software, one analyst questioned how the popular service carried out the fix.
The flaws, which were reported by Danish vulnerability tracker Secunia and judged a “Highly critical” problem, involve the Windows, Linux, Mac OS X, and Pocket PC versions of the Skype client.

But even as Skype released patches for all but the bug in Pocket PC, Lawrence Orans, a research director at Gartner and an expert on VoIP security, questioned the company’s ability to deliver a secure network.

“Earlier this year, when Microsoft’s instant messenger client was vulnerable, Microsoft shut down [MSN] and then when users tried to connect, required them to update to a patched client. Microsoft essentially did our vulnerability management for us,” said Orans.

Not so with Skype. When TechWeb launched a vulnerable version of the Windows client Tuesday, Skype did not require an update to connect to its network. Nor did it offer the fixed version when the client’s “Check for Update” feature was selected, but instead presented another vulnerable edition.

One of the Skype bugs — found by a pair of researchers from U.K.-based security firm Pentest, Limited — affects Skype for Windows 1.1.0.0 through - 1.4.0.83, and can be used by attackers to first generate a buffer overflow on the PC, then use that to drop additional code on the computer. All the attacker needs to do is convince a user to click on a malicious Skype-style URL.

“In addition, Skype can be made to execute arbitrary code during importation of a VCARD that is in a specific non-standard format,” wrote the Pentest researchers, Mark Rowe and Joe Moore, in their advisory.

Quoted from Information Week