Skype Vulnerability Makes End-Users Susceptible to Malware Execution

According to a security researcher from Germany, there's a security flaw within the Skype's newest edition for Windows, which if exploited, lets cyber-criminals to insert apparently harmful software inside end-users' phone sessions. The Register reported this on August 22, 2011.

The flaw is rather stubborn and related to code insertion that reportedly impacts Skype because of an absence of input authentication. As a result, a cyber-criminal can insert Javascript/HTML code with which he can attack an original operating system or compromise cookies.

The discoverer of the flaw Levent Kayan says that the Cross-Site Scripting (XSS) flaw inside Skype 5.5.0.113 occurs because the voice-over-Internet Protocol component doesn't effectively scrutinize the phone numbers that users supply vis-à-vis malware. Consequently, cyber-criminals may succeed in abusing the flaw for inserting scripts or commands, which compromise the affected system with the program enabled on it, he explains. The Register reported this on August 22, 2011.

Moreover a cyber-criminal may as well abuse the flaw for remotely running malevolent JavaScripts onto outside Internet sites, Kayan further explains.

Nonetheless, Microsoft has dismissed what the German researcher says about Skype being susceptible to XSS assaults. According to it, the attack code published over the Net is gentle.

Meanwhile, Skype stated that it wasn't possible to execute the assault as the flawed areas for making entry couldn't be accessed online in Windows. Also as per a representative of Skype, the researcher's claim wasn't really right since the entries within mobile, office and home phones were implanted through HTML. The Register reported this.

Indeed, during July 2011 when version 5.3.0.120 of Skype was impacted Kayan reported that the exploitation of the Skype bug let end-users become compromised through a code-insertion series inside the entry area of cell-phone. As a result, it was possible to execute script as well as access the victimized user's account info and session ID.

Finally, security specialists stated that such flaws could allow the creation of self-replicating assaults provided it was possible to target the people listed inside the victim's address book with them although it wasn't clear whether the latest flaw could similarly permit for self-replicating assaults.

Related article: Skype Plugs Critical Security Hole

» SPAMfighter News - 8/31/2011