Skype: Video chat feature meets code execution vulnerability

Summary:Updated below: Aviv Raff, a security researcher, has found a flaw in Skype that could allow an attacker to control your PC.On his blog, Raff explains the following:Skype uses Internet Explorer web control within the application to render internal and external HTML pages.

Updated below: Aviv Raff, a security researcher, has found a flaw in Skype that could allow an attacker to control your PC.

On his blog, Raff explains the following:

Skype uses Internet Explorer web control within the application to render internal and external HTML pages. Examples for this pages are the "Send money via PayPal" dialog, or "Add video to chat" dialog.

Recently, I've discovered that Skype is running this web control in Local Zone. The more problematic issue here is that Skype runs the HTML pages is a not-locked Local Zone mode, the same as AOL's AIM does in the chat message window.

This means, that if it is possible to inject a script to any of those pages, it is possible to execute code on the user's machine.

The easiest way to test this is to open up the latest version of Skype, open up add video to chat and type in "calc test" in the search box. That search will launch the Windows calculator. This proof of concept could be applied to other Windows programs. Raff has a video walking through the flaw.

I took it for a spin too and wound up with the following:

skype.png

You can imagine this vulnerability to be used to launch other application that could be useful to an attacker.

The flaw is unpatched so don't use the video chat feature.

Via Ryan Naraine.

Update:  Skype has disabled the Dailymotion search feature that could be exploited. In a blog post, Skype said:

The issue, demonstrated by security researchers as a proof of concept, was neutralized before actual attackers took advantage of it, therefore Skype users are unlikely to have been affected. Skype has temporarily disabled users’ ability to add videos from the Dailymotion gallery until an official fix has been made available. In turn, Dailymotion is addressing the vulnerability on their web site.

Topics: Operating Systems, Collaboration, Security, Social Enterprise, Software, Windows

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.