Browse > Home / Blog article: Skype Patches Critical Hole

Skype Patches Critical Hole

By Dave Nixon

February 6, 2008

Skype has patched a critical vulnerability that had obliged it to abandon several features from its software to thwart attackers from hijacking Windows PCs.

In a security review, Skype said it had fixed the flaw identified by Israeli researcher Aviv Raff nearly three weeks ago. The vulnerability, which Raff called a cross-zone scripting bug, could be exploited with amended video files that took advantage a security flaw in how Skype delivered HTML.

The cause, Raff said, was the reality that Skype, which uses IE’s web control to handle internal and external HTML pages, operated the control in a low-security manner. “Skype is running this web control in Local Zone … and the HTML pages in a not-locked Local Zone mode,” Raff said in mid-January.

After Raff and others published proof-of-concepts, Skype provisionally plugged the hole by initially removing connections to Dailymotion, one of the Internet-calling service’s video-sharing partners. Six days later, it cut the line to Metacafe, another partner, when Raff illustrated an even graver exploit.

Last week, Raff identified yet a further Skype problem, this time in the SkypeFind command, which allows users to advocate businesses to others and write reviews of those businesses. At the time, Raff said if a hacker created a review that incorporated a malevolent script, every user that viewed the business using the SkypeFind command would have his PC compromised.

Raff routed all three cross-zone scripting vulnerabilities to Skype’s meager security model, and said a fix was comparatively straightforward. “To lock the Local Zone, they basically need to change one registry value,” he said last Thursday.

Skype implied that it had done just that. “The core vulnerability has been fixed by setting IE control security context to Internet Zone,” said the company in Tuesday’s security alert. Additionally it maintained that all three of the exploits - the two related to Dailymotion and Metacafe and the third connected to SkypeFind — had been nullified by the patched Skype now available for download.

Raff, however, was not prepared to give it the all clear, at least not immediately. After considering the Skype advisory, he had questions that required answering prior to giving the patch a green light. “I’m still waiting for answers from Skype,” he said.

Users can download the patched Skype - Windows version 3.6.0.248 - from the company’s website. Existing Skype users can update by using the software’s “Check for Updates” command under the Help menu.

Click here to discuss this: Security Forums

Filed Under Business Security, IT Security, Internet Security News, Network Security, Software Security 
Tagged:



Add to Bookmarks:

ADD TO DEL.ICIO.US     ADD TO DIGG     ADD TO FURL

ADD TO STUMBLEUPON     ADD TO YAHOO MYWEB     ADD TO GOOGLE     ADD TO SPURL


Related posts to "Skype Patches Critical Hole":



Comments

Got something to say?





Visited 233 times, 1 so far today