Skype: Video chat feature meets code execution vulnerability

Updated below: Aviv Raff, a security researcher, has found a flaw in Skype that could allow an attacker to control your PC.

On his blog, Raff explains the following:

Skype uses Internet Explorer web control within the application to render internal and external HTML pages. Examples for this pages are the "Send money via PayPal" dialog, or "Add video to chat" dialog.

Recently, I've discovered that Skype is running this web control in Local Zone. The more problematic issue here is that Skype runs the HTML pages is a not-locked Local Zone mode, the same as AOL's AIM does in the chat message window.

This means, that if it is possible to inject a script to any of those pages, it is possible to execute code on the user's machine.

The easiest way to test this is to open up the latest version of Skype, open up add video to chat and type in "calc test" in the search box. That search will launch the Windows calculator. This proof of concept could be applied to other Windows programs. Raff has a video walking through the flaw.

I took it for a spin too and wound up with the following:

You can imagine this vulnerability to be used to launch other application that could be useful to an attacker.

The flaw is unpatched so don't use the video chat feature.

Via Ryan Naraine.

Update:  Skype has disabled the Dailymotion search feature that could be exploited. In a blog post, Skype said:

The issue, demonstrated by security researchers as a proof of concept, was neutralized before actual attackers took advantage of it, therefore Skype users are unlikely to have been affected. Skype has temporarily disabled users’ ability to add videos from the Dailymotion gallery until an official fix has been made available. In turn, Dailymotion is addressing the vulnerability on their web site.