Explore the latest news and trends  

Sign up for our weekly security newsletter


Be the first to receive important updates on security





Send

Videos Deploy Malware in User’s PC via Skype Flaw

On January 18, 2008, Skype released a security report that deals with a cross-zone scripting flaw in its IP Telephony application.

A customer hitting the video option of Skype for Windows carrying the uniquely designed video of Dailymotion in its video gallery might run an arbitrary code surreptitiously without permission, the report informs. To activate the flaw, the victim has to come across this particular Title of Dailymotion in the Skype's video gallery segment. Viewing this video in a Skype chat or e-mail form is not dangerous, since Internet Explorer (IE) control is not exploited.

Security expert Aviv Raff, through a video installed on his blog, demonstrated how a cross-zone scripting vulnerability on the site of Dailymotion.com could be used to trigger off the calculator application in Windows just by exploiting Skype's "Add video to chat" option, reported ZDNet on January 18, 2008.

Security expert Petko Petkov in his blog explained that the target has just to navigate to DailyMotion through Skype's 'Add video to chat' option and come across a step which holds the cross-site scripting flaw, as reported on January 18, 2008 by GNUCITIZEN.

The trouble is that Skype operates the IE browser with less secured "Local Intranet Zone" security settings. As a result of this, hackers are capable of pulling off anything, like hacking files from the storage disk and triggering off arbitrary codes, alleged security expert Petkov in his blog.

As per Petkov, there's one more flaw that Skype was unsuccessful in tackling. Small amount Skype traffic, especially ads, moves in an encrypted form. Utilizing programs such as Airpwn or Karma, he alleged, a hacker could take complete control of the insecure advertisements and substitute them with malevolent ones. This kind of strike is very simple to work out and it involves about zero planning.

Skye announced that it has for the time being disenabled the facility to add videos from Dailymotion gallery till the matter is resolved.

The vulnerability infects the most recent variant of Skype, version 3.6.0.244. Former editions of the program might also be in danger. As per Raff, users should discontinue looking for videos in Skype till the Skype people patch the flaw.

Related article: Videos From Fake YouTube Install Adware

» SPAMfighter News - 1/29/2008

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page
Next