Skype has temporarily disabled a feature that allows hackers to hackers to exploit vulnerabilities in it VoIP software.
However, it has not responded to claims of a second, potentially more serious vulnerability that could allow attackers could target Skype users at public wireless hot spots.
Last week, noted Israeli researcher Aviv Raff had spelled out what he called a "cross-zone scripting vulnerability" in Skype that could be leveraged by attackers armed with malicious video files. The way in, Raff explained, was through a security door that Skype left wide open.
"Skype uses [Microsoft's] Internet Explorer Web control to render internal and external HTML pages," Raff said in a posting to his blog early Thursday. "[But] Skype is running this Web control in Local Zone ... [and] the HTML pages in a not-locked Local Zone mode."
In plain English, this means that if an attacker manages to inject a malicious script into any of those HTML pages, he can completely compromise the machine.
Petko Petkov, a UK-based penetration tester and one of the masterminds behind the GNUCITIZEN group, stressed how easy an attack would be to run.
"The attack vector is a bit convoluted, but very much possible and quite practical," Petkov said on the GNUCITIZEN site. "The most obvious approaches would be to either social engineer the user or spam Dailymotion with hundreds of infected movies that correspond to popular keywords."
Early Friday, Skype posted a security advisory that acknowledged the cross-zone scripting bug, saying that it affected all Windows versions of the software, including 3.5 and the most-up-to-date 3.6. Skype also pegged the flaw as a "10" in the Common Vulnerability Scoring System, the highest rating allowed by the security industry's standard bug ranking system.
Skype does not yet have a patch in place, so instead, it simply shut off access to Dailymotion. "Skype has temporarily disabled users' ability to add videos from Dailymotion gallery until an official fix has been made available," the security bulletin said.
But that may not secure Skype, said Petkov, who also argued that the VoIP software harbours vulnerabilities, including unencrypted data within Skype's ads, some of which he said end up displayed by the same IE Web controller in a low-security zone.
"With the help of tools like Airpwn or Karma [a packet-injection tool and wireless sniffing tool, respectively], attackers can easily hijack those ads and replace them with malicious ones," said Petkov. “ This type of attack is very easy to pull and it requires almost zero preparation."
Such an attack would be conceivable at, say, a public wireless hot spot, where attackers could sniff for Skype traffic, then insert malicious code into the unencrypted ad data. Petkov warned users not to use Skype over a public wireless network.
Skype did not address Petkov's findings in its security advisory, nor in a Friday posting to the company's security blog.