Skype blocks videos completely to protect Windows users
The problem results from the way in which Skype presents external video sites in its selection window. According to a security advisory from Skype, it uses Internet Explorer's HTML render engine and JS/ActiveX API. In doing so, however, the content runs in the local zone, giving it the highest level of privileges.
According to Raff, his proof of concept also works with other instant messaging applications. He claims the vulnerability could be used to spread a worm, for which reason he has declined to publish further details. It is not quite clear from Raff's statements whether this refers to the cross-zone vulnerability in Skype or the cross-site scripting vulnerability in Metacafe.
Nonetheless, he has informed Skype of the problem, and Skype has in turn deactivated access to Metacafe videos. The developers are reported to be working on a patch. Meanwhile, Skype appears to have briefly reinstated access to Metacafe - it is not clear why. Currently, users are greeted by the message, "Hi there, no videos today".
- No more videos for you. Come back when patch available!, security advisory from Aviv Raff
- (Update) Skype Cross Zone Scripting Vulnerability, updated blog entry from Skype