In association with heise online

04 February 2008, 12:39

Another security vulnerability in Skype VoIP client

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Skype has fixed a security vulnerability in its SkypeFind feature, which attackers could have used to execute JavaScript on Windows PCs. As with holes discovered in Skype in January, the problem is caused by the Windows client displaying external web pages using Internet Explorer's rendering engine and JS/ActiveX API in the local zone context, giving it the full privileges of the logged-on user.

SkypeFind is used to find businesses and services recommended by other Skype users. The client fails to filter the name of the recommended contact properly, and JavaScript inserted into the name field is executed when viewed in the victim's client. The vulnerability was discovered by Israeli security specialist Aviv Raff, who found previous flaws in the software. It is not clear how Skype has closed this hole, but it is the company says it is unnecessary to update the client. Skype is still working on a patch to fix the actual cross-zone scripting problem, so its "Add video to chat" feature remains disabled.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit