Skype blocks videos completely to protect Windows users
Skype has completely deactivated the "Add video to chat" function in its client software to close a potential security hole in its Windows software. At the end of last week, the eponymous company behind the Skype client blocked access to video portal Dailymotion in order to prevent attackers from executing JavaScript injected into video pages in Skype, allowing them to gain control of a user's PC. This latest move means that it is no longer possible to add videos from Metacafe either.
The problem results from the way in which Skype presents external video sites in its selection window. According to a security advisory from Skype, it uses Internet Explorer's HTML render engine and JS/ActiveX API. In doing so, however, the content runs in the local zone, giving it the highest level of privileges.
For security reasons, Skype is currently blocking the addition of videos to chat
Initially it looked like it was only possible to add JavaScript to title tags in Dailymotion. However, further tests by Israeli security specialist Aviv Raff showed that it was also possible to embed JavaScript in videos pages from Metacafe. Although Metacafe successfully prevents such attempts made via the site's standard front end, videos with user-defined metatags can be uploaded using the site's "Metacafe Pro" software. This software fails to filter tags for JavaScript.
According to Raff, his proof of concept also works with other instant messaging applications. He claims the vulnerability could be used to spread a worm, for which reason he has declined to publish further details. It is not quite clear from Raff's statements whether this refers to the cross-zone vulnerability in Skype or the cross-site scripting vulnerability in Metacafe.
Nonetheless, he has informed Skype of the problem, and Skype has in turn deactivated access to Metacafe videos. The developers are reported to be working on a patch. Meanwhile, Skype appears to have briefly reinstated access to Metacafe - it is not clear why. Currently, users are greeted by the message, "Hi there, no videos today".
- No more videos for you. Come back when patch available!, security advisory from Aviv Raff
- (Update) Skype Cross Zone Scripting Vulnerability, updated blog entry from Skype
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
