While procrastinating from mapping controls to risks, I just flipped over to eWeek to kill a little time and learned that Skype just released updates to cover multiple critical security vulnerabilities.

Multiple security flaws in the popular Skype voice chat application could put millions of users at risk of computer takeover attacks, the company acknowledged Tuesday.

Skype Technologies S.A., which is being acquired by eBay Inc., warned in two separate advisories that the vulnerabilities could lead of system access or denial-of-service attacks.

The Skype program, which uses peer-to-peer technology to route phone calls over the Internet, is one of the most popular desktop applications sitting behind firewalls, making the threat vector even more serious.

So I head over to the Skype’s Web site to see how they present it. And what I discovered is that they’re not presenting it. Not on the homepage, not on the download page, not on the developer page, not even on the main security page, which I found only by manually typing “http://skype.com/security” into my browswer. But was the vulnerability notice there? Nope. Their bought-and-paid-for cryptography review was there, though. Finally, I found it on their vulnerability bulletins page. Whew. After all that, I was almost too tired to read the notices.

Still, I plowed on and soon discovered that the first vulnerability is a nasty one (The second is a boring ol’ DOS). An exploitable buffer overflow in Skype’s URI parser for “callto://” and “skype://”. Not good. Host the malicious link on an SSL’ed Web server and you’ll blow right past any IDS or IPS countermeasures and quickly be 0wning machines inside firewalls in no time, then potentially using Skype’s own crypto and peer-to-peer architecture as the control channel for whatever botnet or other bit of nastiness the attacker wants to install.

The Blackhat in me salivates at the prospect. It’s beautiful security judo, leveraging tools designed to protect confidentiality (crypto) and Availability (peer-to-peer) to better hide my nefarious doings. Combine it with a skype API-based payload and you’ve got a Skype worm that can leverage the implicit trust relationship of contact lists to propagate further, all potentially wrapped inside Skype’s own crypto.

Too bad the first that most of Skype’s 60 million-and-growing users will ever hear of it will be after someone who does pay attention to these sorts of things decides they want to see if it’s possible to create a 60-million node botnet or retire after making The One Big Score with SkypeOut and toll fraud.

Hey Skype, Ignoring Risk is Accepting Risk–NOT Avoiding it. Put this on your main page while upgrading is still prevention rather than incident response.