Skype squishes cross-zone scripting bug

Underlying weakness nixed


Skype has fixed a cross-zone scripting weakness in its voice over IP client software which spawned a couple of security bugs over recent weeks.

Problems have arisen for Windows users because Skype uses Internet Explorer web controls to render internal and external HTML pages.

Skype is running these web controls in Local Zone and, worse, accessing HTML pages in an unlocked Local Zone mode, an approach that opens the door to so-called cross-zone scripting exploits.

For example, the use of vulnerable controls made it possible to inject a malicious script into the "Add video to chat" dialogue on video-sharing sites such as Skype partner DailyMotion. Skype was initially obliged to block the feature after the vulnerability was discovered last month.

A similar vulnerability in the SkypeFind feature, which lets users recommend businesses to others running the VoIP client, also stemmed from the same underlying cross-zone scripting weakness. Skype patched the feature when the SkypeFind problem came up last week, but the underlying issue remained.

Tuesday brought the arrival of a more complete fix that addresses the underlying architectural weakness involved in both the SkypeFind and DailyMotion security flaps.

Skype said it fixed the core vulnerability by setting IE control security context to Internet Zone (instead of local zone, as previously implemented). Windows users need to update to Skype for Windows version 3.6.*.248 or later, as explained in an advisory here.

More background on cross-zone scripting vulnerabilities can be found in postings by security researcher Aviv Raff, who's kept a close watching brief on the issue over recent weeks. ®


Keep Reading

Feds throw book at eBay execs who deny they had anything to do with cyberstalking of site's critics

James Baugh, David Harville hit with several new counts

Ex-eBay global intel staffers to admit they cyberstalked online tat bazaar's critics – who got pig heads, funeral wreath, and more in the mail

Four to plead guilty, accused senior bosses insist they weren't involved

Another eBay exec pleads guilty after couple stalked, harassed for daring to criticize the internet tat bazaar

Former cop admits conspiracy to tamper with witnesses, too

Lockdown bidder block shock: Overzealous parental filters on Virgin Media and TalkTalk break eBay for UK users

No-no-no-no-no! I'm going to lose my bid on the £7 horse mask, um, I mean important lockdown things I need

Trucking hell: Kid leaves dad in monster debt after buying oversized vehicle on eBay

Don't. Leave. Your. Laptop. Signed. In. Where. Children. Can. Reach. It

eBay users spot the online auction house port-scanning their PCs. Um... is that OK?

Updated Fraud is a big issue for etailer, but there are privacy and consent concerns too

eBay won't pass UK Digital Service Tax costs on to third-party sellers – unlike Amazon, which simply can't afford it

Stop sniggering, don't forget those 'indirect taxes' Amazon says it pays

Ex-eBay security execs among six charged with harassing, threatening bloggers who dared criticize web tat souk

Internal probe went all the way to the former CEO, CCO after 'smut, fake pig's head, more sent to couple'

Biting the hand that feeds IT © 1998–2021