NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0392 New SKYPE Bug Opens Users to Easy Hijack:
SKYPE Ltd. plugged yet another critical vulnerability, but the
researcher who reported the bug said that that's not enough. Noted
vulnerability researcher Aviv Raff said that another SKYPE flaw, this one in the
software's SkypeFind feature, can be used to inject attack script into
systems running the application. SkypeFind, which was introduced in Skype 3.1
for Windows, lets users recommend businesses to others running the Voice-over-IP
and chat client and write reviews of those businesses. "Sadly, it could
also be used by attackers to own Skype users' machines," Raff said in a
blog post. Specifically, Skype neglects to sanitize reviewer's names, so
attacks could replace their Skype names with malicious script. The result is
striking, whenever a victim views a business which was reviewed by the attacker,
the malicious script will be executed in an unlocked Local Zone. The company
also downplayed the threat, saying, "There is one important precondition
for the exploit to work, the victim must receive Skype contact request
authorization from the attacker's Skype account." While that's
true, the security researcher said there are at least two easy ways for
attackers to automate users' contact requests. Both involve relatively
basic bots that rely on Skype's own protocol handler or its application
programming interfaces (API). Raff recommended that Skype users disable the
SkypeFind tab by choosing View/Tab and panels, then uncheck "SkypeFind
Tab." They'll also need to disable the Skype: URI (Uniform Resource
Identifier) protocol handler, which requires an edit of the Windows
registry.
(ComputerWorld 31JAN08)