The Skype client does not properly filter user-supplied input from websites that provide video content to Skype users.
Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X, and Linux operating systems.
Skype users can include videos from the Dailymotion and other websites in their mood panel. Videos from these websites are also available via the Skype video browser. Skype does not properly filter user-supplied input that is provided from these third-party websites. An attacker may be able to exploit this vulnerability by uploading a specially crafted movie file to a site that provides video content to Skype users.
A remote unauthenticated attacker may be able to execute arbitrary code.
Per SKYPE-SB/2008-001, Skype has temporarily disabled the ability to add videos from the Dailymotion site until an official fix has been made available. Note that the Dailymotion website contained an XSS vulnerability that could be used as an attack vector, and blocking new videos from the Dailymotion website will not completely address this issue.
Include Skype in the Local Machine Zone Lockdown
This vulnerability was disclosed by Miroslav Lucinskij.
This document was written by Ryan Giobbi.
|Date First Published:||2008-01-22|
|Date Last Updated:||2008-04-29 16:10 UTC|