Skip to main content

Skype's vulnerability could hit you in Hotspots

Israeli-based Security researcher Aviv Raff (opens in new tab) has discovered a weakness in Skype's way of rendering internal and external HTML pages that makes it particularly vulnerable to hackers.

Skype runs HTML pages in a non locked local zone mode which means that whoever is able to inject malicious code in one page rendered in the local zone could potentially execute code on the user's computer.

A proof of concept was made public by Raff and a fellow researcher Miroslav Lucinskij with more information available in a Skype security bulletin (opens in new tab) entitled "Skype Cross Zone Scripting Vulnerability".

Arstechnica (opens in new tab) reports that although this would require malware authors to find a trusted site which can be infected via a cross-zone scripting error, it is not particularly difficult to find such sites.

Computerworld (opens in new tab) mentions Security researcher and Penetration tester Petko Petkov (opens in new tab) who pointed to how easy it was to build an attack, "When a given resource executes within the Local Zone context, all sorts of things are possible like, including but not only, reading/writing files from the local disc and launching executables through the WSH primitives."

The vulnerability affects all versions of Windows-based Skype including the most up to date 3.6 and gave it a score of 10, the highest rating allowed.

The only way to make sure that your computer is not compromised is not to search for videos within Skype for a foreseeable future.

Désiré Athow
Contributor

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.