Another day, another security scare. This time, it's the latest build of Skype that's in the firing line after a security researcher found it could be compromised. The flaw in the P2P telephony client means that n'aer-do-well code could be run via Skype.
The app uses Internet Explorer to render features such as the 'add video to web chat' page. Trouble is, it does this in the 'Local Zone' internet security setting, meaning the system isn't adequately locked down. A problem could arise, for example, if a video was infected with malicious code and then viewed through the Skype video search feature.
Cross-Zone Scripting vulnerability
However, although Skype will no doubt patch the code, it will take several cogs to work together for the execution to actually take place. A trusted website straddling security zones would have to be compromised and viewed within the browser.
According to security expert Aviv Raff, this should be known as a Cross-Zone Scripting vulnerability, since the script runs in IE's Local Zone instead of the Internet Zone. He has posted a proof-of-concept YouTube video onto his blog.
Skype v.3.6.0.244 is the version affected, though it's not known if the vulnerability is further-reaching.
Your comments (1) Click to add a new comment
chaimhaas
January 21st 2008
1. Skype provides a full description on its Security Blog of the vulnerability and the steps that have been taken to address the problem so it doesn't affect users - http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html
Alert a moderator
Tell us what you think
You need to Log in or register to post comments