Skype closes scripting holes in Windows client
Skype has released an update for its eponymous VoIP client to remedy a cross-zone scripting vulnerability and other bugs. The vulnerability allows manipulated videos from Dailymotion and Metacafe to inject malicious code. While awaiting the release of this update, Skype has been blocking access to these partner websites. Now, the update forces all HTML content to run in the internet zone instead of the local zone.
The new version 18.104.22.168 also contains a blacklist and a whitelist to determine which programs have access to Skype's public API. In addition, connection speeds from the Skype network to "restrictive network environments" have been improved. The new version of the client also fixes several other flaws. Users can either use Skype's update function or download the software manually.
- Skype Cross Zone Scripting Vulnerability, Skype's security advisory
- Skype blocks videos completely to protect Windows users , report at heise Security