Vulnerability Note VU#248184
Skype does not properly filter input from external websites
The Skype client does not properly filter user-supplied input from websites that provide video content to Skype users.
Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X, and Linux operating systems.
Skype users can include videos from the Dailymotion and other websites in their mood panel. Videos from these websites are also available via the Skype video browser. Skype does not properly filter user-supplied input that is provided from these third-party websites. An attacker may be able to exploit this vulnerability by uploading a specially crafted movie file to a site that provides video content to Skype users.
Skype uses Internet Explorer web control to render HTML content. This is used also for providing "add video to mood" and "add video to chat" functionality.
This is realized over JS/ActiveX interface which allows scripts to be run in Local Zone security context of IE.
In order to exploit this an attacker must exploit code injection vulnerability at the partner site. Such vulnerability has been discovered in Dailymotion website.
An attacker who constructs a Title of the video in a specific way can cause arbitrary code to be executed on targets PC.
For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used.
The proof of concept has been made public by Aviv Raff and Miroslav Lucinskij.
A remote unauthenticated attacker may be able to execute arbitrary code.
Per SKYPE-SB/2008-001, Skype has temporarily disabled the ability to add videos from the Dailymotion site until an official fix has been made available. Note that the Dailymotion website contained an XSS vulnerability that could be used as an attack vector, and blocking new videos from the Dailymotion website will not completely address this issue.
Include Skype in the Local Machine Zone Lockdown
Note that this workaround does not directly address the vulnerability. The workaround may make cause some of Skype's features to fail or to operate with limited functionality.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Skype Technologies||Affected||-||22 Jan 2008|
CVSS Metrics (Learn More)
This vulnerability was disclosed by Miroslav Lucinskij.
This document was written by Ryan Giobbi.
- CVE IDs: Unknown
- Date Public: 17 Jan 2008
- Date First Published: 22 Jan 2008
- Date Last Updated: 29 Apr 2008
- Severity Metric: 36.09
- Document Revision: 43
If you have feedback, comments, or additional information about this vulnerability, please send us email.