(Resolved) Skype Cross Zone Scripting Vulnerability
A vulnerability that allowed an attacker to execute arbitrary code on a Skype user’s Windows PC without their consent has been discovered in Skype and on Dailymotion, the video-sharing site where Skype users can download video clips and add them to their Skype moods and chats.
The vulnerability had the potential to affect users of Skype 3.5 and 3.6 for Windows who, in Skype’s video gallery, navigated to a Dailymotion video with a specially crafted title.
The issue, demonstrated by security researchers as a proof of concept, was neutralized before actual attackers took advantage of it, therefore Skype users are unlikely to have been affected. Skype has temporarily disabled users’ ability to add videos from the Dailymotion gallery until an official fix has been made available. In turn, Dailymotion is addressing the vulnerability on their web site.
For a more detailed description of the issue, please see the most recent Skype Security Bulletin.
Update: We’ve also temporarily disabled the ability to add videos from the Metacafe video gallery. Both Dailymotion and Metacafe videos will be re-enabled as soon as an official fix has been made available.
- – -
Final update on Feb. 6, 2008 – the issue has been resolved. Please see today’s post for more information.