Skype Addresses Cross-Zone Scripting Vulnerability - InformationWeek
Software // Enterprise Applications
06:11 PM
Connect Directly

Skype Addresses Cross-Zone Scripting Vulnerability

For the bug to be triggered, the target must find a specific video in Skype video gallery browser Dailymotion's section.

Skype on Friday issued a security bulletin that addresses a cross-zone scripting vulnerability in its Internet telephony software.

"A user of Skype for Windows who navigates to the video with specially crafted Title from Dailymotion in Skype's video gallery may experience execution of arbitrary code without consent," the bulletin explains. "For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used."

Skye said that it has temporarily disabled the ability to add videos from the Dailymotion gallery until the issue is fixed.

"The attack vector is a bit convoluted, but very much possible and quite practical," explains Petko D. Petkov, founder of security consultancy, in a blog post. "The user simply needs to visit Dailymotion via Skype's 'Add video to chat' button and stumble upon a move which contains the cross-site scripting vector. This type of scenario can be achieved in several ways but I believe that the most obvious approaches would be to either social engineer the user or spam Dailymotion with hundreds of infected movies that correspond to popular keywords."

According to Petkov, there's another attack vector that Skype failed to address. Some Skype traffic, advertisements in particular, travels unencrypted. Using software like Airpwn or Karma, he said, an attacker can hijack the unprotected ads and replace them with malicious ones. Such an attack is very easy to execute, he said.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll