A security flaw in popular voice-over-IP software Skype could be harnessed to run malicious code on a victim's computer, InfoWorld reports. Citing blog entries by security researchers Aviv Raff and Petko. Petkov, InfoWorld says the issue can be triggered by something as simple as searching for an online video via Skype's "Add Video to Chat" dialog.
Indeed, Skype harnesses the rendering engine of Microsoft's Internet Explorer to display web pages, but it employs the "Local zone" security setting, giving pages carte blanche to execute code on a user's system. Folks aren't likely to visit malicious sites from within Skype, but they could hit up a site like DailyMotion.com by clicking the "Video" button in a chat window. And therein lies the problem: because of a cross-site scripting vulnerability, users can inject malicious scripts in DailyMotion video titles. As Raff puts it, "This basically means that an attacker can now upload a movie, set a kewl popular keyword (e.g. 'Paris Hilton'), and own any user that will search for a video with those keywords through Skype."
A YouTube video showcasing the security flaw in action can be viewed here. In the video, Raff simply searches for keywords in Skype's "Add Video to Chat" dialog, and a script embedded in a DailyMotion video title opens up the Windows calculator. The demo was recorded in Windows Vista, too, so it looks like even Microsoft's latest operating system falls victim to the flaw.
|Aerocool's Project 7 P7-C1 Pro case reviewed||4|
|Google Project Tango is dead—long live ARCore||2|
|Thermaltake Sync box bridges RGB LED walled gardens||3|
|Intel tips off potential 960 GB and 1.5 TB Optane SSD 900Ps||5|
|Sapphire Nitro+ Radeon RX Vegas put a big chill on spicy-hot chips||13|
|Antec P110 Silent touts quiet looks and quiet operation||10|
|Updated LG Gram laptops put heavy-duty power into feathery bodies||14|
|Monkey Day Shortbread||10|
|Thursday deals: a nice Z370 mobo, a huge VA display, and more||6|