Skype Fixes Much Publicized Cross-zone Scripting Problem
Similar to the behavior of Skype holes found in January 2008, the new problem arises from Windows client showing Web pages on Internet Explorer by using its rendering function and the JS/ActiveX API within the local zone, enabling it to gain user privileges fully.
Skype issued a security advisory on February 5, 2008 in which it said about Skype fixing the flaw that received publicity from Aviv Raff, an Israeli researcher, about 21 days back. This flaw, that Raff described as a cross-zone scripting hole, was exploitable with makeshift video files that introduced vulnerability in the manner Skype rendered HTML.
Following Raff and other researchers' posting of a proof-of-concept code for exploiting the flaw, Skype closed the security gap by first severing connections with the video-sharing facility of Dailymotion, a partner of Skype. A few days later, Skype cut off the line with Metacafe, another Skype partner that renders video-sharing services.
Towards January end, Raff detected one more Skype problem. This was within the SkypeFind command, which helps Skype users to review and promote businesses anywhere. Unfortunately, attackers too could use it to take control of Skype users' systems.
The SkypeFind feature allows a user to assess an existing entrepreneurial activity or start a new one. It sanitizes the text available in the reviews of the user and also the data available in the entry of a business item. Unfortunately, sanitation of the reviewers' full name was forgotten. As a result, an attacker against a Skype user can inject malicious code in his Full Name so that whenever the victim views a business that the attacker had reviewed within the SkypeFind dialog, the harmful code would run in a Local Zone.
While it is still unclear how Skype plugged this hole, the company thinks it essential to inform the client. It is still on the job of developing a patch to permanently repair the problem with the cross-zone scripting. Till then, its "Add video to chat" function would remain disabled.
Related article: Skype Plugs Critical Security Hole
» SPAMfighter News - 13-02-2008