Skype plugs critical bug with temp move

But it doesn't address second attack vector via public hot spots

Hackers can exploit newly uncovered vulnerabilities in Skype's popular chat and VoIP software to shanghai a Windows PC, security researchers said Thursday.

By Friday morning, Skype had confirmed one of the bugs, slapped the highest-possible vulnerability rating on it and temporarily disabled the feature used to exploit the flaw. However, it has not responded to a second, more serious charge that attackers could nail Skype users at public wireless hot spots.

Early on Thursday, noted Israeli researcher Aviv Raff had spelled out what he called a "cross-zone scripting vulnerability" in Skype that could be leveraged by attackers armed with malicious video files. The way in, Raff explained, was through a security door that Skype left wide open.

"Skype uses [Microsoft's] Internet Explorer Web control to render internal and external HTML pages," Raff said in a posting to his blog early Thursday. "[But] Skype is running this Web control in Local Zone ... [and] the HTML pages in a not-locked Local Zone mode."

Translation: If an attacker manages to inject a malicious script into any of those HTML pages, he can completely compromise the machine.

In a demonstration, Raff posted a tricked-out video file to the Dailymotion video-sharing service that, when called using the software's Add Video to Chat feature, runs harmless arbitrary code. The exploit relied on a separate cross-site scripting vulnerability on Dailymotion, which is one of Skype's video partners.

Raff's innocuous demo, however, could be replaced by attack code of the hacker's choice. "An attacker can now upload a movie, set a kewl popular keyword (e.g. 'Paris Hilton') and own any user that will search for a video with those keywords through Skype," he noted.

Fellow researcher < ahref="http://www.gnucitizen.org/blog/vulnerabilities-in-skype" target="_blank">Petko Petkov, a U.K.-based penetration tester and one of the masterminds behind the GNUCITIZEN group, stressed how easy an attack would be to run. "The attack vector is a bit convoluted, but very much possible and quite practical," Petkov said on the GNUCITIZEN site. "The most obvious approaches would be to either social engineer the user or spam Dailymotion with hundreds of infected movies that correspond to popular keywords."

Early Friday, Skype posted a security advisory that acknowledged the cross-zone scripting bug, saying that it affected all Windows versions of the software, including 3.5 and the most-up-to-date 3.6. Skype also pegged the flaw as a "10" in the Common Vulnerability Scoring System, the highest rating allowed by the security industry's standard bug ranking system.

Skype does not yet have a patch in place, so instead, it simply shut off access to Dailymotion. "Skype has temporarily disabled users' ability to add videos from Dailymotion gallery until an official fix has been made available," the security bulletin said.

But that may not secure Skype, said Petkov, who also argued that the VoIP software harbors even scarier vulnerabilities, specifically unencrypted data within Skype's ads, some of which he said end up displayed by the same IE Web controller in a low-security zone.

"With the help of tools like Airpwn or Karma [a packet-injection tool and wireless sniffing tool, respectively], attackers can easily hijack those ads and replace them with malicious ones," said Petkov. "Upon rendering, a malicious code will execute within [the] unrestricted IE controller and as such will allow the bad guys in. This type of attack is very easy to pull and it requires almost zero preparation."

Such an attack would be conceivable at, say, a public wireless hot spot, where attackers could sniff for Skype traffic, then insert malicious code into the unencrypted ad data. Petkov warned users not to use Skype over a public wireless network.

Skype did not address Petkov's findings in its security advisory, nor in a Friday posting to the company's security blog.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?