Skype on Friday issued a security bulletin that addresses a cross-zone scripting vulnerability in its Internet telephony software.
"A user of Skype for Windows who navigates to the video with specially crafted Title from Dailymotion in Skype's video gallery may experience execution of arbitrary code without consent," the bulletin explains. "For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used."
Skye said that it has temporarily disabled the ability to add videos from the Dailymotion gallery until the issue is fixed.
"The attack vector is a bit convoluted, but very much possible and quite practical," explains Petko D. Petkov, founder of security consultancy GnuCitzen.org, in a blog post. "The user simply needs to visit Dailymotion via Skype's 'Add video to chat' button and stumble upon a move which contains the cross-site scripting vector. This type of scenario can be achieved in several ways but I believe that the most obvious approaches would be to either social engineer the user or spam Dailymotion with hundreds of infected movies that correspond to popular keywords."
According to Petkov, there's another attack vector that Skype failed to address. Some Skype traffic, advertisements in particular, travels unencrypted. Using software like Airpwn or Karma, he said, an attacker can hijack the unprotected ads and replace them with malicious ones. Such an attack is very easy to execute, he said.