Critical hole in Windows version of Skype

A critical security hole has been found in the Windows version of Skype which could give an attacker complete control over a PC using the internet telephony system. The company has disabled a feature allowing users to attach videos to messages until a fix is found for the vulnerability. As a result, the videos on Skype's Dailymotion partner page can no longer be integrated into Skype moods and chats. Videos by Metacafe continue to be available through Skype.

The measure became necessary when information about a Skype vulnerability, which potentially allows attackers to gain control of users' PCs, appeared at the end of last week. It is caused by the way Skype displays the video suppliers' web pages in its video gallery. According to the vendor's advisory, Internet Explorer's HTML rendering engine or JS/ActiveX API are used, but content runs within the context of the local zone, giving it the highest privilege level and the fewest restrictions.

To exploit this vulnerability, attackers must be able to inject arbitrary JavaScript code into the Dailymotion or Metacafe partner pages. This is possible in Dailymotion: When uploading a video it is possible to inject JavaScript code into the video title and launch a cross site scripting attack this way. Skype has released a security advisory about the vulnerability and announced a patch. Until this patch has become available, Skype clients can no longer access Dailymotion videos. No details about how the vendor achieved this are given. According to the report, Skype 3.5.x and 3.6.x are affected.

It remains unclear whether Dailymotion will implement better filtering for uploads.

See also:

• Skype Cross Zone Scripting Vulnerability, Skype security advisory
• Skype cross-zone scripting vulnerability, report by Aviv Raff
• XSS reikšmė Skype bei vaizdo nuotaikų įterpimo interakcijoje, report by Miroslav Luãinskij (in Lithuanian)

(mba)