Software // Enterprise Applications
News
1/18/2008
06:11 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Skype Addresses Cross-Zone Scripting Vulnerability

For the bug to be triggered, the target must find a specific video in Skype video gallery browser Dailymotion's section.

Skype on Friday issued a security bulletin that addresses a cross-zone scripting vulnerability in its Internet telephony software.

"A user of Skype for Windows who navigates to the video with specially crafted Title from Dailymotion in Skype's video gallery may experience execution of arbitrary code without consent," the bulletin explains. "For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used."

Skye said that it has temporarily disabled the ability to add videos from the Dailymotion gallery until the issue is fixed.

"The attack vector is a bit convoluted, but very much possible and quite practical," explains Petko D. Petkov, founder of security consultancy GnuCitzen.org, in a blog post. "The user simply needs to visit Dailymotion via Skype's 'Add video to chat' button and stumble upon a move which contains the cross-site scripting vector. This type of scenario can be achieved in several ways but I believe that the most obvious approaches would be to either social engineer the user or spam Dailymotion with hundreds of infected movies that correspond to popular keywords."

According to Petkov, there's another attack vector that Skype failed to address. Some Skype traffic, advertisements in particular, travels unencrypted. Using software like Airpwn or Karma, he said, an attacker can hijack the unprotected ads and replace them with malicious ones. Such an attack is very easy to execute, he said.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.