Skype has moved swiftly to block a security hole that allowed code execution attacks via the software’s video search feature.
The vulnerability, exposed last week by researchers Aviv Raff and Petko D. Petkov, is a cross-zone scripting issue that allowed hackers to use rigged video files to launch full code execution (PC takeover) attacks.
On the Skype blog, Villu Arak confirmed the bug and attack scenario and explained the temporary band-aid:
“Skype has temporarily disabled users’ ability to add videos from the Dailymotion gallery until an official fix has been made available. In turn, Dailymotion is addressing the vulnerability on their web site.“
Skype also released a security advisory with more details.