After he reported the new attack vector to Skype, access to Metacafe was first disabled, then mysteriously re-enabled, Raff said in an e-mail interview. By Wednesday morning, however, the Skype-Metacafe link was again broken. "It seems like bringing Metacafe back was probably a malfunction, and surely was not on purpose," Raff said.
Also on Wednesday, Skype revised the original security advisory from last week to account for Raff's newest findings, and to confirm that it had turned off the video spigot entirely.
"Skype has now fully disabled video adding from gallery until an official fix has been made available," the revamped bulletin read. That means Skype users can no longer pull in videos from Dailymotion or Metacafe using the "Add video to mood" or "Add video to chat" commands.
Skype has not set a timetable for producing a patch - the Windows 3.5 and 3.6 versions are the ones fingered by Skype as vulnerable - but Raff believes a fix is straightforward. "Locking down the Local Zone is a simple registry change," he said. "[Although] there might be other changes needed in order to preserve backward compatibility."
Villu Arak, a Skype spokesman, promised that the severed links to the partners would be reconnected at some point. "Both Dailymotion and Metacafe videos will be re-enabled as soon as an official fix has been made available," he said in an update to the Skype security blog Wednesday.
Skype, however, has not addressed another issue broached last week by a second researcher. According to Petko Petkov, a prolific penetration tester from the U.K., some Skype traffic, particularly its advertisements, is not encrypted and can be hijacked at public Wi-Fi hotspots then fed back to unsuspecting Skype users full of malicious code.
The kind of fix envisioned by Raff, however, would also eliminate the Petkov problem, since the latter relies on the same Internet Explorer Web control and poor security practices that made possible the video-based exploits.