Skype releases cross-zone vulnerability fix

Skype said today that a security bug in the Skype for Windows client has been identified and fixed.

Here's the problem, according to Skype:

Skype uses Internet Explorer web control to render HTML content. This is used also for providing "add video to mood" and "add video to chat" functionality. The bug has been discovered in Windows Skype code which allows scripts to be run in unlocked Local Zone security context of IE and execute shell.

In order to exploit this an attacker must exploit code injection vulnerability at content provider site. Such vulnerabilities were discovered in Dailymotion website, in Metacafe Pro video submission software as well as in Skype's own SkypeFind. All of them have been fixed at the time of issuing this bulletin.

All Skype for Windows clients, from 3.6.244 and back, are vulnerable to this attack. The fix for this is here. Justdownload, and upon installation, the Skype version that presented this vulnerability will be overwritten by this new one, which is Skype 3.6.248