Typing 'http://:' Into a Skype Message Trashes the Installation Beyond Repair

An anonymous reader writes: A thread at the Skype community forums has brought to light a critical bug in Microsoft's Skype clients for Windows, iOS and Android: typing the incorrect URL initiator http://: into a text message on Skype will crash the client so badly that it can only be repaired by installing an older version and awaiting a fix from Microsoft. The bug does not affect OS X or the 'Metro'-style Windows clients — which means, effectively, that Mac users could kill the Skype installations on other platforms just by sending an eight-character message.

Oh well

[3.5 stripes]

It's hardly the only thing that causes Skype to crash, and work intermittently at best, and to be fair, it actually started before Microsoft bought them.

Re:Oh well

[gstoddart]

Crashing is one thing.

Parsing input data sufficiently badly as to require an uninstall? That's pretty epic.

Re:Oh well

[penguinoid]

Watch out, everybody! There's a new Windows virus going about. See here for more information http://:

Re:

[CODiNE]

I think you mean
skype://http://:bye.html

Re:

[ArcadeMan]

I missed it, what was that about?

Re:

[coinreturn]

You must have missed the IMF / Rootkit issue.. Or ignored it.

Was that the Impossible Mission Force or the International Monetary Fund?

Re:

[bill_mcgonigle]

Parsing input data sufficiently badly as to require an uninstall? That's pretty epic.

What do you want from the NSA contractor sent in to write the install code? Did he get a government job because he could make it in industry?

Re:

[Ravaldy]

Actually it makes perfect sense. When the app reloads it tries to parse it again to display the last message.

Re:

[nospam007]

"There's a reason I only used Skype when forced to. "

Forced? You mean when you are to cheap to pay for a phone call.

Re:

[Rakarra]

Forced? You mean when you are to cheap to pay for a phone call.

For unknown reasons, Skype seems to be the instant-messenger of choice these days. I use it all the time to talk to friends; never made a voice call with it.

Re:

[Ravaldy]

Skype is a perfectly good product. You can bash it all you want but fact is that many users prefer it over the alternatives which is why it's so popular.

Re:

[AmiMoJo]

It's not as epic as you might think. Skype, like many apps, keeps a message history/log. When it opens it parses that history. Since the bug is in the parser, it crashes when starting up. The only solution is to either remove the log files or go back to an earlier version that doesn't have the buggy parser code.

It's a not uncommon fault with apps that load data at start-up, which is most of them. For example, I have some industrial logging software made by Picolog that crashes on start-up when you have cert

Re: Oh well

[Anonymous Coward]

They took the indentation war too seriously.

Re:

[Rakarra]

Almost twice as many people died in that war than died in the cola wars

And Tab was involved with both!

. ..

Man, Tab tasted terrible.

Re:

[Grishnakh]

There's an inverse relationship between the cost of software (including software included with hardware, like industrial devices), and the quality of that software.

"Enterprise" software is widely regarded as crap, but the software on expensive industrial machines is probably even worse.

Re:Oh well

[Njorthbiatr]

This. So much this.

I usually defend MS against people who I believe unfairly attack them, but you've really struck a nerve.

I don't know what team is responsible for Skype, but they have done such a mind boggling horrible job I'm half convinced they're intentionally trying to kill it, cut it into small pieces, then burn the remains before firing the ashes into the nearest black hole.

Every single version they push out has been worse than the last, and the last good version was 6.18. I loathe the day when they finally kill this version to force people into their newer, more broken, buggy, and less featured version. And to boot it wasn't enough that they started forcing people to update by patching it through Windows Update. I started my computer one day to find Skype completely uninstalled -- all because of Windows Update (which I now review for all updates after this tragic experience). Somehow it managed to uninstall itself and then couldn't reinstall itself because I replaced the update file with a dummy.

They keep removing features but *promise* to put them back in... And even years later the features still haven't back in added. But hey that's okay because now Skype can use even larger emoticons. Well fucking thanks for that useless fucking feature. That's all Skype gets nowadays, useless improvements and worse performance. The calls I get with 6.18 are perfect but with any version 7 I may as well just write letters and send them through the mail.

Oh but wait they changed the UI to be even worse! Now you have chat bubbles for some stupid fucking reason.

Microsoft we deserve an explanation for this total fucking incompetence. Maybe you should hire actual software developers instead of monkey interns who think smashing their face into a keyboard is an acceptable way to write software.

Re:

[gestalt_n_pepper]

No, I'm pretty sure it's sheer stupidity. I just tried to turn on .net 3.5 framework, which many different software packages require. At the moment, it's almost impossible to do. Microsoft's own security packages have made .net 3.5 almost impossible to install and use.

For the record, you *can* do it, if you have original media and can run an obscure set of commands through an elevated cmd prompt. I only burned up 2 or 3 hours of otherwise productive time working around yet another "security" issue.

Security'

Re:

[TheDarkMaster]

The explanation is that the senior developers are retiring and being replaced by brats who think writing a crappy web page is the same thing as writing a desktop application.

Re:

[hitmark]

Sounds about right. More and more long running software is facing a changing of the guards, and the new ones approach software development as if it is website devops (you know the bottom has been reached when a ever changing site is being talked about as an "app").

I'm tempted to blame Google and Facebook for this, especially the likes of Zuckerberg's "move fast and break things" slogan.

Re:

[TheDarkMaster]

You do not understand anything of what I wrote, and in an epic way... I am hitting some nerve here? I did not write at any time about security, I'm talking about programming experience and good sense that the "generation Web" seens to lack and the worst part is that they seem not to care about such gaps.

Re:

[Gr8Apes]

You are smoking crack. Web developers, those writing crappy PHP websites or just straight HTML do not have a clue about security. Those writing enterprise apps at least know what the word means, but the general web page developer still does exactly 0 security work.

Re:

[Jesus_666]

Well, those writing just straight HTML don't need to know much about security because that's not HTML's job. As for the PHP monkeys: It depends. Does the monkey use words like "Suhosin" and refuse to use a PHP older than 5.5 because that's when bcrypt became part of the standard library? Then there's a chance they actually do care about security. On the other hand, if they talk about writing WordPress plugins there's a fair chance they've given up Visual Basic development because they weren't smart enough f

Re:

[phantomfive]

Yeah unlike desktop developers, any decent web developer KNOWS that their code will be attacked all the time, and designs it appropriately.

Most web developers aren't decent, and don't know how to design their code securely.

Re:

[CanadianMacFan]

That's funny because the vast majority of web developers that I've come across have thought that they just needed to validate the input using JavaScript in the browser and leave it at that.

Re:

[KGIII]

With Android, a simple checkbox enables you to install applications from a source other than Google's store. Then search for the version you want, uninstall the version you do not want, and install the version you do want. This is not complex.

Re:

[Kaenneth]

" because I replaced the update file with a dummy" ... why?

Re:

[Njorthbiatr]

Skype's update service became so obnoxious that the more savvy users, to prevent their older client from upgrading without their permission, replaced the updater with a dummy file. That is, an empty file that doesn't do anything.

Re:

[Anonymous Coward]

This. Skype was once independent and peer-to-peer, making it hard to wiretap. Then Microsoft, presumably at the behest of the NSA, bought it and centralized the networking structure.

Re: Oh well

[spongman]

They already got paid. They're just waiting for their options to vest.

Re:

[arglebargle_xiv]

I'll say. Skype fairly consistently blue-screens my laptops after about an hour of voice chat with it, first the whole system freezes, then after about half a minute it bluescreens, and that's on two different laptops. That's pretty impressive amount of fail for a fscking Internet phone app.

Re:

[ArcadeMan]

http://:community.skype.com/t5/Windows-desktop-client/Critical-bug-Skype-7-4-85-102-simple-message-crush-client/td-p/3996419 [skype.com]

edit: Slashdot seems to be auto-fixing the HREF links... damnit.

Wow ...

[gstoddart]

Good job guys!!

I'm not even sure I've heard of an error condition which required a full uninstall.

I predict many people will be sending that string today. I also predict someone will attempt to charge the people sending it with criminal hacking.

Keep up the good work.

Re:Wow ...

[Anonymous Coward]

I'm not even sure I've heard of an error condition which required a full uninstall.

I can guess why and I doubt an uninstall would help.

All you really need to know is that Skype saves conversations and redisplays them when it starts. So you send someone http://:, that triggers the bug, and on restart, it reloads the conversation and crashes again.

If that's the case, a reinstall won't help, because Skype will just re-download the missed messages and reencounter the bad URL and reenter the crash loop.

(Presumably the bug is that they see the second ":", decide it's the start of a port, and leave the hostname uninitialized, causing a crash.)

Re:

[Maritz]

Presumably if you delete the file that the recorded conversation is stored in you stop the crashes.

Re:Wow ...

[JaredOfEuropa]

Isn't the history stored on their server? In that case you're SOL.

Re:Wow ...

[_xeno_]

Yep.

First thing a new installation of Skype does is download every single message you've received for the past several months, I think.

I haven't tried deleting a history file (they're actually SQLite databases) but I think the same thing happens in that case: Skype sees that it isn't up to date on messages and redownloads them.

Re:

[Maritz]

Ah. So deleting the local files won't help. lol

Re:

[The Grim Reefer]

Can someone confirm this? Every time I've changed computers, the conversation log starts over for me. I always assumed it was kept on my local system.

Re:

[IcyWolfy]

I have never had logs persist between installs, or different devices. Is that a new thing?

Re:

[IcyWolfy]

Correction, new version does store and retrieve logs. That's kinda distressing.

Re:

[HighOrbit]

In that case, can't they just globally fix it server side, by 1) filtering it out of the stored history, and 2) filtering input to prevent it in-bound?

Re:

[AmiMoJo]

Yep, same as the bug that hit Apple last month where certain characters in Wifi SSIDs would cause your phone to enter an unrecoverable boot loop until you went out of range. The phone crashes, reboots, sees the same network, crashes, reboots, sees the same network...

It's a pretty common problem with software that saves any kind of settings or data that is reloaded when it starts up.

Re:Wow ...

[_anomaly_]

Yeah, pretty epic bug.
We use Skype for communicating with coworkers (we are a very small company, and all telecommute, so to speak), when the conversation doesn't warrant a phone call (on our IP phones).
But I'm still very tempted to try it. It's like a big red button that says DO NOT PUSH.

Re:Wow ...

[msauve]

" It's like a big red button that says DO NOT PUSH."

You know that big button near the door in the data center, the one labeled "Halon?" That's French for "exit," so you push that to unlock the door and get out.

Re:

[chihowa]

That reminds me of the safety showers [eyewashdirect.com] that we have in every lab. You know what's going to happen when you pull that loop and you know that there's no drain on the floor and it's going to make a big mess, but damn if it's not tempting...

(I have to admit that I pulled one for the fun of it and it did make a big mess as expected. Totally worth it. I don't imagine pressing the halon button would go over quite as well.)

Re:Wow ...

[MobyDisk]

I don't believe you. You are just trying to lull me into a sense of security to make me do it.

Re:

[gstoddart]

And yet, there it is ... that big, gleaming red button ... press it ...go ahead ... you know you wanna

Re:

[nadaou]

You guys should really be using Jitsi [jitsi.org] internally and a local deployment of http://meet.jit.si [meet.jit.si] for communicating with random customers who shouldn't have to install a third party client just to talk to you.

Re:

[_anomaly_]

We don't provide any live chat support to our customers. We're not big enough to have a customer service department to handle that kind of support. We only correspond to our customers via phone and email.
Internally, however, it does look like a nice alternative to Skype; but try telling that to the boss who likes to use the Skype app on his mobile phone for conference calls.

Re:Wow ...

[The MAZZTer]

Full uninstall does not fix it. The message crashes Skype just by being in your chat history. Your chat history is stored in the cloud so you can't delete it!

The only person who can delete it is the sender (assuming they didn't crash themselves). So if it was malicious you're screwed until MS fixes the bug and pushes out an update for the client over Windows Update (at least the good news is they can do this, now).

Re:

[gstoddart]

LOL ... it gets better and better.

Of the zillions of places where Microsoft parses URLs, across all their platforms and products, you can completely hose the install of something with 8 characters.

One wonders if there are any other places which will keel over and die by simply putting that in.

The mind reels with incredulity and glee.

Shadenfreude, it's not just for breakfast any more!!

Re:

[AlanS2002]

I can confirm that it does crash skype. Gotta say, I'm pretty impressed with the stupidity involved in allowing that bug to survive.

Re:

[ArcadeMan]

http://screenrant.com/wp-conte... [screenrant.com]

FIXED

[Anonymous Coward]

http://community.skype.com/t5/Windows-desktop-client/Skype-Fix-for-crashes-caused-by-bad-URL/td-p/3997463

Really?

[TWX]

It's been fifteen years since I as a very, very junior quality assurance engineer had to calmly walk over to the software developers that were working on communications protocols and explain to them that while their protocols (POP3 and SMTP in this case) only truly needed to meet current RFC as far as their list of implemented commands and features was concerned, they had to be able to gracefully handle any and all non-RFC data that they received, even if only to cleanly reject it with an error or to terminate the connection. Instead the implementations would crash hard, requiring the system manager on the platform to detect that they'd gone down in a ball of flames and restart them. They couldn't understand how non-RFC stuff would be sent, even to the point of not understanding how deprecated commands from previous RFCs might stil be in-practice, let alone all of the various possible reasons that either accidental garbage or intentional sending of garbage to try to break-in could be the case.

That such problems as basic as incorrectly typed URLs could break Skype is beyond understanding. This should have been sanity-checked as part of the regular process of handling a URL, and in this particular case probably simply autocorrected and attributed to user ignorance.

Re:

[halivar]

This isn't so bad as you make out; there is no telling how long this bug has been there, but did not appear until now, and with limited impact, and a fix was released in a matter of hours.

As for sanity checking, there is no guarantee that would have caught this bug; the malformed URL has a deceptive proximity to correctness, to wit, that all the characters belong in a URL and are presented in the correct order. The essential missing piece, the hostname, is explicitly defined as ambiguous in RFC 3986 because

Re:Really?

[gstoddart]

That such problems as basic as incorrectly typed URLs could break Skype is beyond understanding.

I don't think it's beyond understanding. Not even a little.

Microsoft has always been pioneers of the "let's try to embed 'smarts' in stuff to make it cooler and friendlier to use" kind of thing.

Autorun on media, for instance has caused a lot of problems with things like viruses and rootkits.

Hell, Microsoft pioneered the technology which meant you could get a virus without opening the attachment of an email -- and up until then people had been saying "no, you can't get a virus simply from clicking on the email unless you run the attachment". Then Microsoft went straight to running the attachment and proved them wrong.

Microsoft tries so hard to coat the world in eye candy and do things for the user that they often go straight to the "well, you clearly want me to run that".

So in this case it probably went "ZOMG, teh URL" and jumped to running some code.

I have found over the years Microsoft's zeal to have dynamic, flashy content often means they create things which make for terrible robustness.

Like their widgets and live desktop stuff they've now had to deprecate on no less than three different platforms that I'm aware of because it was a giant security hole.

They put in a feature which says "wow, we'll just run this stuff because it's awesome", only to run smack into the wall of "but it's also dangerous".

Re:

[Twinbee]

What you say is a fair point, but I also despise the opposite direction where everything is locked down. I'm impressed Windows allows you a program to change the colour of the screen for instance, or tinker with basic window moving/resize functionality.

Re:Really?

[scamper_22]

It's often not even ignorance. Sometimes there is a mentality of correctness over keeping it running.

Never is this more of a debate that in exception handling.

I've worked in places where it was against the gods if you simply had a catch( Exception e). You had to *know* which exceptions you are catching and then catch each one separately.

The keep it running in me is annoyed because there's always some possibility of a runtime Exception or that we miss something and then it crashes instead of just failing that one operation.

The reason given was it is better for us to find out the exception and then fix the code, than to mask it with a catch all.

To each his own, but it's definitely not as simple as ignorance.
I've fought a lot of battles writing the software. I can tell its often the case of correctness versus keep it running.

Re:Really?

[gstoddart]

I would argue that a failure to catch an un-enumerated exception is neither correctness, nor keeping it running.

However, I've heard the argument about the elegance and beauty of letting it crash because it's a real defect which should be identified ... I just disagree that an ungraceful failure is the way to do it.

I hope the people writing self-driving cars don't have the idiotic mindset that if they haven't enumerated the error it should be allowed to fail spectacularly.

The reality is, in the real world when software doesn't fail gracefully, some smug idiot of a developer who said you shouldn't catch things you didn't anticipate isn't there to clean up his mess. So his damned "correctness" becomes an aesthetic thing which is useless.

That's just defective by design, because either your design is 100% perfect and infallible, or it's pretty and elegant but is a crash waiting to happen.

Reality seldom conforms to the pre-planned expectations of the guys who built the product.

"Correctness" isn't correct if it can't account for incomplete correctness. It's lazy and ideological.

Re:

[Z00L00K]

Add to it that in Microsoft world you don't have to declare the exceptions that can be thrown so if a new library version throws a new exception you won't know it until you test a failure instead of seeing it at compile time.

Re:

[TWX]

Quite frankly, all of this stuff should have been tested at QA or in beta, before it reached release, and even more importantly this kind of thing shouldn't break the software to the point that it has to be expunged from the system to fix it.

Re:Really?

[ComputerGeek01]

As a Sys Admin, and therefore your consumer, I couldn't care less if you fail hard or try to recover. But LOG THE GOD DAMN ERROR FOR WHAT IT IS FIRST! There is nothing more mind bogglingly useless then some dip-shit programmer who things "Duh, the user should just keep trying until it works. I don't need to prompt them with anything more then 'ERROR: An Error Has Occurred'". Or even worse is the crowd of useless knuckle draggers who think that catching an exception and doing absolutely nothing in the interest of 'keeping things running' is the right course of action everytime. I don't need to see your code, I already know it sucks. Otherwise it would have been too expensive for my employers to want to purchase. But at least tell us where it is failing.

Re:Error 1201 on Apollo 11

[ei4anb]

Error 1201 was not enumerated but luckily someone had read the system documentation https://www.hq.nasa.gov/alsj/a... [nasa.gov]

Re:

[Dog-Cow]

That really depends on your environment. Apple's policy with Cocoa is to only throw exceptions for programmer errors. Additionally, the state of the SDK is undefined after an exception is thrown. That may affect only the class instance that threw the exception, but there are no promises either way. Continuing after an exception may lead to data corruption.

I am a big fan of this approach, because programmers are lazy. If the program doesn't crash on trivial programmer errors, the bugs won't be addressed

Re:

[Aristos Mazer]

You don't want to autocorrect it unless you also provide a way for the user to say, "No, I really meant to type that." After all, what if this were a bug on a different service, say, Facebook, and you wanted to spread the word about it on Twitter? If autocorrect prevents you from typing certain strings, that's a potential problem when coincidentally there's a need to discuss that string. The correct thing is to decide it isn't a URL and just let it go.

Re:

[TWX]

In other circumstances I would agree with you, but the protocol portion of the URL is something that we already auto-correct when it's omitted entirely, and I can't tell you the number of times I've had to coach people on "aich tea tea pea colon slash slash, no the other slash, the one that's the same key as the question mark. You know, the one down in the lower right corner next to the shift key?"

I'm a little surprised that, given the ubiquity of the web over other protocols, we haven't had some shift

little Bobby Tables strikes back

[dunkelfalke]

Nuff said

Re:little Bobby Tables strikes back

[TWX]

I showed that strip to a friend of mine that maintains the DB for a school district's enrollment system. She laughed. Then she got into the system and checked how that was coded...

Does it affect the Linux client?

[kervin]

Is this still Slashdot? Do we still like, or report on Linux anymore?

Re:

[suso]

Well of course it doesn't affect the archaic version of Skype provided for Linux as a courtesy by Microsoft.

Seriously though, just tested it, it doesn't seem to be affected. The nice thing about how it works in Linux is that you can just backup your .Skype folder beforehand and restore it if there is a problem.

Re:

[coastwalker]

Not unless it runs on a mobile phone. The whole of the tech industry is only interested in selling stuff to mobile users because the only growth industry is selling mobiles to developing countries. Linux is history because the fight for the desktop is over, all the money is in mobiles not desktops so screw desktops. Skype probably did not do any input checking because mobile users do not type in addresses, so who cares?

Re:

[pmontra]

http://mrpogson.com/2015/03/02... [mrpogson.com]

Re:

[account_deleted]

Comment removed based on user account deletion

2011 + Skype + OxygenXML = crash

[jblues]

Around about 2011 I was using the Oxygen XML Editor, and noticed that every time I performed a certain function (I don't recall which, schema validation or something) that Skype would crash. This was on OSX, prior to the current version with the dressed up UI.

I'm a Mac user

[Andy Smith]

Now if only I knew someone who uses Skype chat...

Just remember. . .

[smooth wombat]

these are the programmers getting paid the big bucks because of their supposed skills.

People on here can whine all they want about companies not paying programmers more, but when you have situations like this it's clear why those companies aren't doing so.

Re:

[gestalt_n_pepper]

So, you think the junior flunky in India that this was outsourced to is making big bucks? Somehow, I doubt it. What I don't doubt is that the dweebs with MBAs couldn't make a coherent decision to save their lives. Cost savings on a spreadsheet do not equal a viable business that makes money. You have to get "dirty" and get into the business details, or you will be in for a series of epic fails.

Why Skype?

[The Raven]

I don't understand how Skype grew to such dominance in the ip communication field while being such a bad piece of software. I've been helping users improve their computer's abysmal performance by uninstalling Skype for years.

What does Skype do better than everyone else? Why is it so popular? Is it just the network effect, or does it have actual good points to offset the bad?

Re:

[ModelX]

I don't understand how Skype grew to such dominance in the ip communication field while being such a bad piece of software. I've been helping users improve their computer's abysmal performance by uninstalling Skype for years.

What does Skype do better than everyone else? Why is it so popular? Is it just the network effect, or does it have actual good points to offset the bad?

Skype grew to dominance because it was really good at getting around all kinds of firewalls.

Re:

[Z00L00K]

And once it was actually pretty sleek and good, then it became bloated.

Re:

[PPH]

And once it was actually pretty sleek and good, then it was bought by Microsoft.

FTFY

Re:

[Z00L00K]

No, it became bloated long before Microsoft. It was good some time around 2004 to 2006, then it got fat.

Re:

[account_deleted]

Comment removed based on user account deletion

http://:

[Translation Error]

Please give a warm welcome to the new 'Skype Killer' emoticon.

Speaking of Skype being crap...

[serviscope_minor]

Speaking of it being crap. It's gone totally to shit recently in terms of network usage.

Time was I could make skype calls over HSPDA. These days it's impossibly bad. Anyone know a good cross platform voip system that works over 3G and supports conference calls?

Oh also, if there's a long backlog of chat messages about one time in 20, skype will basically fuck up and be unable to sync them. The solution seems to be to blow away all config data (i.e. equivalent to reinstalling) and reinstall it.

Lovely.

Re:

[omnichad]

They went to HD voice. I don't know if that accounts for all of it, because even HD voice is way below what you'd use for streaming spotify or similar.

Is this ...

[PPH]

... a new bug in a recent Skype client? Or has it been there all along and just not found?

Any thoughts on why it happens to be the URL prefix that does this? Was this some attempt at incorporating web page pushes using the messenger that went horribly wrong?

Re:

[omnichad]

It could be that it's being interpreted as a null domain with an alphanumeric port number (if it's some really bad regex of some sort). But I'm sure it has something to do with the process of displaying a URL as a clickable link.

It's not a bug

[Sevalecan]

Don't worry, folks! It's not a bug, it's a feature!

Summer Intern

[ThatsNotPudding]

We now know where little Bobby Tables interned last summer.

Comment removed

[account_deleted]

Comment removed based on user account deletion

New levels of Skype badness

[sjvn]

I mean, Skype has always had troubles, but seriously simply entering http:/// [http] causes not just a message crash, but wrecks the program! This is amazingly bad for a freshman project, much less an "enterprise" ready program from a major vendor.

Steven

Re:

[halivar]

Well, my guess would be that they tokenize by the port separator ':' before doing validation of the URL, and end up performing network operations on empty strings. How in the world that break the installation, I have no clue. It may be that it caches the convo, and on trying to read the cache again it breaks? Maybe not.

Re:

[halivar]

There's a new version up that fixes the bug, so the point is moot.

Re:

[Z00L00K]

No, moot has left 4chan.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Remember folks...

[Fwipp]

Nope. The problem was that it crashes when trying to read your logs, and if it didn't have the logs it would fetch them from the server.

Re:

[ledow]

It has a colon after it.

But, still, sanitise your damn inputs.