madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Latest version of Skype susceptible to malicious code injection flaw

By | August 23, 2011, 8:06am PDT

Summary: The latest version of Skype contains dangerous flaw, which could allow malicious injection of HTML/JavaScript code into a user’s phone session.

According to a German security researcher, the latest version of Skype contains dangerous flaw, which could allow malicious injection of HTML/JavaScript code into a user’s phone session.

Based on an advisory published on Wednesday, the researcher claims that:

An attacker could for example inject HTML/Javascript code. It has not been verified though, if it’s possible to hijack cookies or to attack the underlying operating system. Attacker could give a try using extern .js files…

Skype’s comments:

“We have had this reported to us by various media outlets and have confirmed that the person is mistaken, this is not a web window and while it does cause a phone number to be underlined, does nothing other than this,” spokeswoman Brianna Reynaud wrote in an email.

However, the researcher said that the unsafe content is displayed when users view a booby-trapped profile, which works by inserting a JavaScript command or web address where a phone number is expected, since the entries in (home, office and mobile phone and city) are embedded via HTML.

Hat tip to The Register.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Malicious Code, Flaw, Skype Technologies S.A., Viruses And Worms, Security, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Talkback Most Recent of 3 Talkback(s)

  • Waiting
    for SJVN to somehow pin this on Microsoft.
    ZDNet Gravatar
    honeymonster
    23rd Aug
  • Well, waiting is good
    But the reality is, it's all a plot hatched and brought to fruition by Loverock. His next step is to link this flaw into all releases of *nix so that anything not Windows automatically is "updated" to Windows.
    ZDNet Gravatar
    ego.sum.stig@...
    23rd Aug
  • like, did we have to worry about this sort of thing before M$ bought it???
    @honeymonster

    i mean really!
    they corrupt everything they touch just to get it embedded into the next version of their OS.
    there's nothing wrong with pointing out simple facts of the company's track record.
    just sayin'!

    what we need is for someone to test this and post an independent review before going out and scaring the pants off the populace though.
    if the status of Skype is harmed by this and it cannot be verified, this guy opens himself open to a big honkin' lawsuit.
    and the culpability of ZDNet is not altogether zero here.
    could be bad.
    very bad.

    happy
    .
    ZDNet Gravatar
    wessonjoe
    25th Aug

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources