Skype Addresses Cross-Zone Scripting Vulnerability - InformationWeek
Software // Enterprise Applications
06:11 PM
Connect Directly

Skype Addresses Cross-Zone Scripting Vulnerability

For the bug to be triggered, the target must find a specific video in Skype video gallery browser Dailymotion's section.

Skype on Friday issued a security bulletin that addresses a cross-zone scripting vulnerability in its Internet telephony software.

"A user of Skype for Windows who navigates to the video with specially crafted Title from Dailymotion in Skype's video gallery may experience execution of arbitrary code without consent," the bulletin explains. "For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used."

Skye said that it has temporarily disabled the ability to add videos from the Dailymotion gallery until the issue is fixed.

"The attack vector is a bit convoluted, but very much possible and quite practical," explains Petko D. Petkov, founder of security consultancy, in a blog post. "The user simply needs to visit Dailymotion via Skype's 'Add video to chat' button and stumble upon a move which contains the cross-site scripting vector. This type of scenario can be achieved in several ways but I believe that the most obvious approaches would be to either social engineer the user or spam Dailymotion with hundreds of infected movies that correspond to popular keywords."

According to Petkov, there's another attack vector that Skype failed to address. Some Skype traffic, advertisements in particular, travels unencrypted. Using software like Airpwn or Karma, he said, an attacker can hijack the unprotected ads and replace them with malicious ones. Such an attack is very easy to execute, he said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll