This post was published 1 year 9 months 2 days ago which may make its actuality or expire date not be valid anymore. This site is not responsible for any misunderstanding.

Problem: A security bug in Skype for Windows client has been identified and fixed.

Skype uses Internet Explorer web control to render HTML content. This is used also for providing “add video to mood” and “add video to chat” functionality. The bug has been discovered in Windows Skype code which allows scripts to be run in unlocked Local Zone security context of IE and execute shell.

In order to exploit this an attacker must exploit code injection vulnerability at content provider site. Such vulnerabilities were discovered in Dailymotion website, in Metacafe Pro video submission software as well as in Skype’s own SkypeFind. All of them have been fixed at the time of issuing this bulletin.

Affected software: The following Skype clients are vulnerable to this attack:

Skype for Windows:

• All releases including 3.5.*
• 3.6 releases prior and including 3.6.*.244

Solution: An official fix to the issue covered by this Security Bulletin has been released.

The core vulnerability has been fixed by setting IE control security context to Internet Zone. To implement this fix, update to one of the following releases of Skype.

Skype for Windows: 3.6.*.248 or later

The preferred method for installing security updates is to download the software directly from Skype’s website, from the website of Skype’s authorized partners, or from a reliable mirror site.

• x86 platform, Microsoft Windows 2000 or Microsoft Windows XP: http://www.skype.com/download/skype/windows/
• x86 platform, Linux: http://www.skype.com/download/skype/linux/
• PPC and x86 platforms, Mac OS X v10.3.9 or later: http://www.skype.com/download/skype/macosx/
• Pocket PC platform, Microsoft Windows Mobile 2003: http://www.skype.com/download/skype/pocketpc/

Source:Skype Security Bulletin

gasusan2005 (1432 Posts) - Website | Twitter | Facebook