Skype shut off its video-adding feature Wednesday after a security researcher revealed yet another way hackers could hijack users' PCs.
The move came a week after Israeli researcher Aviv Raff first reported a cross-zone scripting vulnerability in Skype that could be triggered by a malicious video uploaded to the Dailymotion video sharing service, one of two Skype partners.
Raff's findings prompted Skype to temporarily disable access to Dailymotion last Thursday. Skype has yet to come up with a permanent fix.
This week Raff expanded on his research, saying a much more dangerous kind of attack could be crafted by exploiting a flaw in Metacafe, the second Skype video partner. Access to Metacafe had been left open, even as Dailymotion's connection to Skype was severed. Raff coded a proof-of-concept (PoC) exploit for the newest attack vector, but did not share it publicly, as he had done with the Dailymotion PoC last week.
"This PoC can actually be triggered by simply visiting a Web site, or clicking on a link from your instant messaging application, which basically means that this vulnerability is now wormable!" Raff said in a post to his blog. "This is why I've decided not to publicly disclose the proof-of-concept, nor to show a video that might disclose too much information."
Raff's newest PoC relied on a malicious video file uploaded to Metacafe using special software that the site provides.