Researchers Find Code Execution Bug in Skype
Security Watch
SHARE
Facebook X Pinterest WhatsApp

Researchers Find Code Execution Bug in Skype

Written By
Ryan Naraine
Ryan Naraine
Jan 17, 2008
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Security researchers have found a serious security vulnerability that could result in PC hijack attacks against users of the wildly popular Skype voice chat tool.

The issue, described by Aviv Raff as a cross-zone scripting vulnerability, could allow hackers to use rigged video files to launch full code execution (PC takeover) attacks.

Earlier today, Raff demonstrated the attack scenario for me by rigging a video file and uploading it to Dailymotion’s servers with several keywords. From Skype’s Add Video to Chat feature, I ran a search query for “calc test” (keywords used in Raff’s exploit) and here’s what happened when I hit the search button:

Now, imagine a social engineering scenario in which popular keywords (Britney Spears, Paris Hilton, Lindsay Lohan) are used to lure video searchers to booby-trapped videos.

Raff explains:

“Skype uses Internet Explorer Web control within the application to render internal and external HTML pages. Examples for this pages are the “Send money via PayPal” dialog, or “Add video to chat” dialog….The more problematic issue here is that Skype runs the HTML pages in a not-locked Local Zone mode. This means that if it is possible to inject a script to any of those pages, it is possible to execute code on the user’s machine.“

Raff and I tested the exploit against the latest version of Skype, v3.6.0.244. Prior versions may also be affected.

Petko D. Petkov, a vulnerability researcher at GNUcitizen, said he believes there’s a more sinister aspect to these Skype vulnerabilities:

“I noticed that parts of the Skype traffic go over unencrypted channel. After further investigation, I found out that the unencrypted packets are part of Skype’s ads, which are pulled on several places, some of which end up within the unrestricted IE controller. With the help of tools like Airpwn or Karma, attackers can easily hijack [those] ads and replace them with malicious ones. Upon rendering, a malicious code will execute within unrestricted IE controller and as such will allow the bad guys in. This type of attack is very easy to pull and it requires almost zero preparation.“

In the absence of a patch, Skype users should avoid using the Add Video to Chat feature. Petkov also warns against using Skype on any public Wi-Fi hotspots because of the man-in-the-middle attack vector.
Ryan Naraine
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information