Sunday, January 20th 2008

Skype Cross-zone Scripting Vulnerability Found

Security researcher Aviv Raff has discovered and demonstrated a flaw within Skype that allows malicious code to execute when the software embeds video into chat. The problem is caused by Skype's web control. The program uses Internet Explorer to render internal and external HTML, but does so using "Local Zone" security settings. Full information on the "Skype cross-zone scripting vulnerability" is posted here. There, you can also watch a proof-of-concept footage of Skype launching Windows' calculator. The bug currently effects Skype v.3.6.0.244, and may be present in older versions of the client as well. At this point, the solution is to avoid running the "Add Video to Chat" Skype feature. Simply having the program installed or using its various other functions will not expose a system to potential infection.Source: Ars Technica
Add your own comment

3 Comments on Skype Cross-zone Scripting Vulnerability Found

#1
Triprift
I didnt even no you could add video to chat in skype wow ive only started me day and already ive learnt something new cool.
Posted on Reply
#2
Cold Storm
Battosai
lol.. yeah i just watched a video a friend made by using skype video... it was goood... lol.. Skype FTW!
Posted on Reply
#3
chaimhaas
Skype Security Blog

Skype provides a full description on its Security Blog of the vulnerability and the steps that have been taken to address the problem so it doesn't affect users
Posted on Reply