[ insider_reports_insider ]
Skype Vulnerability Threatens Video Searchers
David Utter
Staff Writer
2008-01-18
 Insider Reports RSS Feed
Looking for video through Skype could expose a computer to a cross-zone scripting vulnerability that could lead to remote code execution.
 | | Skype Vulnerability Threatens Video Searchers |  |
The VoIP application from Skype uses the Internet Explorer web control to render HTML pages. Security researcher Aviv Raff said the implementation used by Skype opens a machine to attack:
Recently, I've discovered that Skype is running this web control in Local Zone. The more problematic issue here is that Skype runs the HTML pages is a not-locked Local Zone mode, the same as AOL's AIM does in the chat message window.
This means, that if it is possible to inject a script to any of those pages, it is possible to execute code on the user's machine. pdp suggested that AirPwn can be used for that, and I can't do more than agree with him.
At GNU Citizen, PDP said some parts of Skype traffic, like ads, are not encrypted, and likewise travel over an unencrypted channel. An attacker could replace legitimate ads with malicious ones, through the use of tools like the aforementioned AirPwn, or Karma.
Until Skype patches the problem, it's probably a good idea to refrain from using Skype on a public wireless hotspot, PDP suggested, and don't use the 'Add video to chat' feature. If exploited, it "means a complete 0wnage," he said.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
