Skype Releases Security Bulletin to Address CrossZone Scripting Vulnerability

January 21st, 2008 by Jake Soriano (Technical Communications)

Skype has yesterday released a security bulletin to deal with a cross-zone scripting vulnerability. Security Bulletin SKYPE-SB/2008-001 addresses the said vulnerability in Skype, which may allow a remote and unauthenticated malicious user to execute arbitrary codes on an affected system.

Skype’s “add video to mood” and “add video to chat” functions were seen as possible areas that attackers could exploit to execute malicious codes on target systems. Because Skype uses Internet Explorer web control to render HTML content, browsing through Skype’s video gallery section and watching videos with arbitrary codes trigger the vulnerability; watching videos in a chat or in a mood message, however, does not.

As of the moment, Skype has rendered inoperative adding videos from the video-hosting service Web site Dailymotion gallery until an official fix has been made available.

Trend Micro advises users of this software to download the necessary patches to fix any vulnerability once they are available from Skype.