Skip to main content

Skype could be used to run malicious code

The vulnerability could be exploited when web pages are opened within Skype - such as making a PayPal payment here

Another day, another security scare. This time, it's the latest build of Skype that's in the firing line after a security researcher found it could be compromised. The flaw in the P2P telephony client means that n'aer-do-well code could be run via Skype.

The app uses Internet Explorer to render features such as the 'add video to web chat' page. Trouble is, it does this in the 'Local Zone' internet security setting, meaning the system isn't adequately locked down. A problem could arise, for example, if a video was infected with malicious code and then viewed through the Skype video search feature.

Cross-Zone Scripting vulnerability

However, although Skype will no doubt patch the code, it will take several cogs to work together for the execution to actually take place. A trusted website straddling security zones would have to be compromised and viewed within the browser.

According to security expert Aviv Raff, this should be known as a Cross-Zone Scripting vulnerability, since the script runs in IE's Local Zone instead of the Internet Zone. He has posted a proof-of-concept YouTube video onto his blog.

Skype v. is the version affected, though it's not known if the vulnerability is further-reaching.