George Ou over at zdnet.com recently posted an article which exposes a possible new security flaw in Skype 2.0. Apparently, it attempts to write data into executable memory space, which is a potentially dangerous situation called a buffer overflow.

While it is most likely innocuous in this case (as there is no real reason for Skype to purposefully include buffer overflows in their own software), under some circumstances these are dangerous backdoors for hackers. In short, a buffer overflow is a mechanism by which a programmer can force executable code into memory in such a way that a program is tricked into running it. The fact that Skype exhibits an inability to detect its own buffer overflows indicates that it may be susceptible to intentional overflows.

However, I almost wonder if Mr. Ou's computer has contracted a virus unbeknownst to him. On the other hand, it's possible that the Skype developers simply overestimated one of their buffers, and accidentally spilt out of it in the course of normal (non-malicious) code execution.

That said, George does offer some excellent guidelines on how to enable buffer overflow detection in Windows (called Data Execution Prevention). His article is most definitely worth a read, and his suggestions are a great starting point for the security-conscious.