Critical hole in Windows version of Skype
A critical security hole has been found in the Windows version of Skype which could give an attacker complete control over a PC using the internet telephony system. The company has disabled a feature allowing users to attach videos to messages until a fix is found for the vulnerability. As a result, the videos on Skype's Dailymotion partner page can no longer be integrated into Skype moods and chats. Videos by Metacafe continue to be available through Skype.
The measure became necessary when information about a Skype vulnerability, which potentially allows attackers to gain control of users' PCs, appeared at the end of last week. It is caused by the way Skype displays the video suppliers' web pages in its video gallery. According to the vendor's advisory, Internet Explorer's HTML rendering engine or JS/ActiveX API are used, but content runs within the context of the local zone, giving it the highest privilege level and the fewest restrictions.
It remains unclear whether Dailymotion will implement better filtering for uploads.
- Skype Cross Zone Scripting Vulnerability, Skype security advisory
- Skype cross-zone scripting vulnerability, report by Aviv Raff
- XSS reikšmė Skype bei vaizdo nuotaikų įterpimo interakcijoje, report by Miroslav Luãinskij (in Lithuanian)