Skype plugs critical cross-zone scripting hole
Skype Ltd. Tuesday patched a critical vulnerability that forced it to dump
several features from its VoIP and chat software to prevent attackers from hijacking
Windows PCs.
In a security advisory issued Tuesday, Skype said it fixed the underlying flaw
publicized by Israeli researcher Aviv Raff nearly three weeks ago. The vulnerability,
which Raff called a cross-zone scripting bug, could be exploited with rigged
video files that leveraged a security flaw in how Skype rendered HTML.
At root, Raff said, was the fact that Skype, which uses IE's Web control to
handle internal and external HTML pages, ran the control in a low-security mode.
"Skype is running this Web control in Local Zone ... [and] the HTML pages
in a not-locked Local Zone mode," Raff said in mid-January.
After Raff and others posted proof-of-concepts, Skype temporarily plugged the
hole by first ditching connections to Dailymotion, one of the Internet-calling
service's video-sharing partners. Six days later, it severed the line to Metacafe,
another partner, when Raff pointed out an even more serious exploit.
Last week, Raff spotted yet another Skype problem, this time in the SkypeFind
command, which lets users recommend businesses to others and write reviews of
those businesses. At the time, Raff said if a hacker crafted a review that included
a malicious script, any user who viewed the business via the SkypeFind command
would have his PC shanghaied.
Raff traced all three cross-zone scripting vulnerabilities to Skype's poor
security model, and said a fix was relatively simple. "To lock the Local
Zone, they basically need to change one registry value," he said last Thursday.
Skype hinted that it had done just that. "The core vulnerability has been
fixed by setting IE control security context to Internet Zone," said the
company in Tuesday's security alert. It also claimed that all three of the exploits
-- the two related to Dailymotion and Metacafe and the third connected to SkypeFind
-- had been quashed by the patched Skype now available for download.
Raff, however, wasn't willing to give it the thumbs up, at least not yet. After
seeing the Skype advisory, he had questions that needed answering before he
would give the patch a green light. "I'm still waiting for answers from
Skype," Raff said in an instant message interview.
Users can download the patched Skype -- Windows version 3.6.0.248 -- from the
service's Web site. Existing Skype users can update by using the software's
"Check for Updates" command under the Help menu.
» posted by abennett
Computerworld
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
