Vulnerability Note VU#248184

Skype does not properly filter input from external websites

Original Release date: 22 Jan 2008 | Last revised: 29 Apr 2008

Overview

The Skype client does not properly filter user-supplied input from websites that provide video content to Skype users.

Description

Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X, and Linux operating systems.

Skype users can include videos from the Dailymotion and other websites in their mood panel. Videos from these websites are also available via the Skype video browser. Skype does not properly filter user-supplied input that is provided from these third-party websites. An attacker may be able to exploit this vulnerability by uploading a specially crafted movie file to a site that provides video content to Skype users.

From SKYPE-SB/2008-001: Skype Cross Zone Scripting Vulnerability:

    Description

    Skype uses Internet Explorer web control to render HTML content. This is used also for providing "add video to mood" and "add video to chat" functionality.

    This is realized over JS/ActiveX interface which allows scripts to be run in Local Zone security context of IE.

    In order to exploit this an attacker must exploit code injection vulnerability at the partner site. Such vulnerability has been discovered in Dailymotion website.

    Discussion

    An attacker who constructs a Title of the video in a specific way can cause arbitrary code to be executed on targets PC.

    For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used.

    The proof of concept has been made public by Aviv Raff and Miroslav Lucinskij.

Impact

A remote unauthenticated attacker may be able to execute arbitrary code.

Solution

Per SKYPE-SB/2008-001, Skype has temporarily disabled the ability to add videos from the Dailymotion site until an official fix has been made available. Note that the Dailymotion website contained an XSS vulnerability that could be used as an attack vector, and blocking new videos from the Dailymotion website will not completely address this issue.

Include Skype in the Local Machine Zone Lockdown

Configuring Skype to use the Local Machine Zone Lockdown may prevent this vulnerability from being exploited by preventing Skype from evaluating script in the Local Machine Zone. To set Skype in the Local Machine Zone, edit the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LocalMachine_Lockdown registry entry to include the DWORD value Skype.exe and set the Value data to 1. Skype must be completely quit and restarted for the changes to take effect.

Alternatively, the following text can be saved as a .REG file and imported:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LocalMachine_Lockdown]
    "Skype.exe"=dword:00000001

Note that this workaround does not directly address the vulnerability. The workaround may make cause some of Skype's features to fail or to operate with limited functionality.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Skype TechnologiesAffected-22 Jan 2008
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was disclosed by Miroslav Lucinskij.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: Unknown
  • Date Public: 17 Jan 2008
  • Date First Published: 22 Jan 2008
  • Date Last Updated: 29 Apr 2008
  • Severity Metric: 36.09
  • Document Revision: 43

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.