Skype Addresses Cross-Zone Scripting Vulnerability - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
News
1/18/2008
06:11 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Skype Addresses Cross-Zone Scripting Vulnerability

For the bug to be triggered, the target must find a specific video in Skype video gallery browser Dailymotion's section.

Skype on Friday issued a security bulletin that addresses a cross-zone scripting vulnerability in its Internet telephony software.

"A user of Skype for Windows who navigates to the video with specially crafted Title from Dailymotion in Skype's video gallery may experience execution of arbitrary code without consent," the bulletin explains. "For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used."

Skye said that it has temporarily disabled the ability to add videos from the Dailymotion gallery until the issue is fixed.

"The attack vector is a bit convoluted, but very much possible and quite practical," explains Petko D. Petkov, founder of security consultancy GnuCitzen.org, in a blog post. "The user simply needs to visit Dailymotion via Skype's 'Add video to chat' button and stumble upon a move which contains the cross-site scripting vector. This type of scenario can be achieved in several ways but I believe that the most obvious approaches would be to either social engineer the user or spam Dailymotion with hundreds of infected movies that correspond to popular keywords."

According to Petkov, there's another attack vector that Skype failed to address. Some Skype traffic, advertisements in particular, travels unencrypted. Using software like Airpwn or Karma, he said, an attacker can hijack the unprotected ads and replace them with malicious ones. Such an attack is very easy to execute, he said.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
News
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll