A security flaw in popular voice-over-IP software Skype could be harnessed to run malicious code on a victim's computer, InfoWorld reports. Citing blog entries by security researchers Aviv Raff and Petko. Petkov, InfoWorld says the issue can be triggered by something as simple as searching for an online video via Skype's "Add Video to Chat" dialog.
Indeed, Skype harnesses the rendering engine of Microsoft's Internet Explorer to display web pages, but it employs the "Local zone" security setting, giving pages carte blanche to execute code on a user's system. Folks aren't likely to visit malicious sites from within Skype, but they could hit up a site like DailyMotion.com by clicking the "Video" button in a chat window. And therein lies the problem: because of a cross-site scripting vulnerability, users can inject malicious scripts in DailyMotion video titles. As Raff puts it, "This basically means that an attacker can now upload a movie, set a kewl popular keyword (e.g. 'Paris Hilton'), and own any user that will search for a video with those keywords through Skype."
A YouTube video showcasing the security flaw in action can be viewed here. In the video, Raff simply searches for keywords in Skype's "Add Video to Chat" dialog, and a script embedded in a DailyMotion video title opens up the Windows calculator. The demo was recorded in Windows Vista, too, so it looks like even Microsoft's latest operating system falls victim to the flaw.