Skype has been forced to turn off a video-sharing feature in its software because
it could be misused to launch a self-copying worm attack against Skype users,
security researchers said Tuesday.

A bug in the software, which was first reported
last Thursday by security researcher Aviv Raff, stems from the way Skype
uses an Internet Explorer component to render HTML.

Skype's video-sharing feature allows users to share videos hosted on two sites
-- Dailymotion.com
and Metacafe.com -- while
chatting with other Skype users.

Last week Raff showed how attackers could exploit the bug to run unauthorized
software on a Skype user's PC. But on Tuesday, the security researcher said
the flaw was more serious than he'd first thought. It can "be triggered
by simply visiting a Web site, or clicking on a link from your instant messaging
application," he
wrote in a blog posting, "Which basically means that this vulnerability
is now wormable."

Skype appeared to have pulled the video feature from its client software on
Tuesday as a result of the bug. Users who attempted to click on the "videos"
button within a chat window were greeted with a message that the feature was
unavailable "because of some security concerns."

"Our brightest engineers are rattling their wrenches to make things all
right and bring the beloved videos back. Soon," the message read. "Sorry
about this."

Skpe representatives did not return calls seeking comment. Last week, Skype
spokesman Villu Arak confirmed
that there was a security problem for Skype 3.5 and 3.6 users who visited
the Dailymotion.com Web site, but users were still able to share videos using
Metacafe.com.

On Tuesday, however, Skype pulled the video feature altogether after being
informed of the new problem, Raff said.

Because Metacafe had a cross-site scripting flaw, a common type of programming
error, Raff was able to run JavaScript on Metacafe.com, which could then be
used to run unauthorized software on the victim's computer. Attackers could
then forward a link to the malicious Web page to all of the Skype contacts in
the victim's computer, spreading the infection.

For Raff's attack to work, an attacker would have to post a maliciously encoded
video file to either of the Metacafe or Dailymotion Web sites. Metacafe said
Tuesday that it's "highly unlikely" that this kind of malicious video
would make it through the site's content-filtering process.

In a statement, the company said it expects Metacafe videos to be available
to Skype users as early as Wednesday morning.

Raff said that because the attack could lead to a widespread worm outbreak,
it would be better for Skype to fix the underlying problem before bringing Metacafe
back online.

Raff believes that Dailymotion was probably susceptible to this type of attack
as well, although he was unable to confirm this after Skype cut off access to
the Web site.

The problem lies in the fact that Skype uses a Windows Internet Explorer (IE)
component with inappropriate security settings, researchers say. Instead of
processing pages it renders with the more secure "Internet Zone" security
setting, Skype uses IE's "Local Zone" security setting, usually reserved
for more trustworthy content.

Until Skype engineers make some changes to their software, more of these problems
will continue to pop up, Raff said.

Another security researcher who
has been studying the flaw agreed.

"If they keep their Skype client running in the Local Zone of IE, we will
see more of these," said Petko Petkov of GNU Citizen via instant message.
"Before killing Metacafe, anyone that owns the server would have been able
to own every Skype user on the planet."

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine