Videos Deploy Malware in User’s PC via Skype Flaw
On January 18, 2008, Skype released a security report that deals with a cross-zone scripting flaw in its IP Telephony application.
A customer hitting the video option of Skype for Windows carrying the uniquely designed video of Dailymotion in its video gallery might run an arbitrary code surreptitiously without permission, the report informs. To activate the flaw, the victim has to come across this particular Title of Dailymotion in the Skype's video gallery segment. Viewing this video in a Skype chat or e-mail form is not dangerous, since Internet Explorer (IE) control is not exploited.
Security expert Aviv Raff, through a video installed on his blog, demonstrated how a cross-zone scripting vulnerability on the site of Dailymotion.com could be used to trigger off the calculator application in Windows just by exploiting Skype's "Add video to chat" option, reported ZDNet on January 18, 2008.
Security expert Petko Petkov in his blog explained that the target has just to navigate to DailyMotion through Skype's 'Add video to chat' option and come across a step which holds the cross-site scripting flaw, as reported on January 18, 2008 by GNUCITIZEN.
The trouble is that Skype operates the IE browser with less secured "Local Intranet Zone" security settings. As a result of this, hackers are capable of pulling off anything, like hacking files from the storage disk and triggering off arbitrary codes, alleged security expert Petkov in his blog.
As per Petkov, there's one more flaw that Skype was unsuccessful in tackling. Small amount Skype traffic, especially ads, moves in an encrypted form. Utilizing programs such as Airpwn or Karma, he alleged, a hacker could take complete control of the insecure advertisements and substitute them with malevolent ones. This kind of strike is very simple to work out and it involves about zero planning.
Skye announced that it has for the time being disenabled the facility to add videos from Dailymotion gallery till the matter is resolved.
The vulnerability infects the most recent variant of Skype, version 126.96.36.199. Former editions of the program might also be in danger. As per Raff, users should discontinue looking for videos in Skype till the Skype people patch the flaw.
Related article: Videos From Fake YouTube Install Adware
» SPAMfighter News - 29-01-2008