Hackers can exploit newly uncovered vulnerabilities in Skype Ltd.'s popular chat and VoIP software to shanghai a Windows PC, security researchers said Thursday.
Noted Israeli researcher Aviv Raff spelled out what he called a "cross-zone scripting vulnerability" in Skype that could be leveraged by attackers armed with malicious video files. The way in, Raff explained, was through a security door that Skype leaves wide open.
"Skype uses [Microsoft Corp.'s] Internet Explorer Web control to render internal and external HTML pages," Raff said in a posting to his blog early Thursday. "[But] Skype is running this Web control in Local Zone... [and] the HTML pages in a not-locked Local Zone mode."
Translation: If an attacker manages to inject a malicious script into any of those HTML pages, he can completely compromise the machine.
As a demonstration, Raff posted a tricked-out video file to the DailyMotion video sharing service -- one of Skype's partners -- that when called using the software's Add Video to Chat feature, runs harmless arbitrary code. Raff's innocuous demo, however, could be replaced by attack code of the hacker's choice.
"An attacker can now upload a movie, set a kewl popular keyword (e.g. 'Paris Hilton'), and own any user that will search for a video with those keywords through Skype," noted Raff.
Fellow researcher Petko Petkov, a U.K.-based penetration tester and one of the masterminds behind the GNUCITIZEN group, stressed how easy an attack would be to run. "The attack vector is a bit convoluted, but very much possible and quite practical," said Petkov on the GNUCITIZEN site. "The most obvious approaches would be to either social engineer the user or spam DailyMotion with hundreds of infected movies that correspond to popular keywords."
Petkov also argued that Skype harbored even scarier vulnerabilities, specifically unencrypted data within Skype's ads, some of which he said end up displayed by the IE Web controller in a low-security zone.
"With the help of tools like Airpwn or Karma [a packet injection tool and wireless sniffing tool, respectively -- Ed.], attackers can easily hijack those ads and replace them with malicious ones," said Petkov. "Upon rendering, a malicious code will execute within [the] unrestricted IE controller and as such will allow the bad guys in. This type of attack is very easy to pull and it requires almost zero preparation."
Such an attack would be conceivable at, say, a public wireless hotspot, where attackers could sniff for Skype traffic, then insert malicious code into the unencrypted ad data. Petkov warned users from using Skype over a public wireless network.
Both Raff and Petkov urged Skype users to stop searching for videos within the application and forget about calling on the Add Video to Chat feature until Skype patches the problem.
According to Raff, the latest Windows version of Skype, v22.214.171.124, is flawed; earlier editions may also be vulnerable.
Skype had not posted any information about the vulnerability claims of Raff and Petkov to its security page, nor was there any mention on the service's support forums. Skype representatives were not available for comment Thursday night.