A patch for the cross-zone scripting vulnerability in Skype is still not
available. As I mentioned in my first advisory, Skype renders HTML pages in
several dialogs.
One of these dialogs is used by a feature called "SkypeFind". This feature,
available from version 3.1, allows Skype users promote and review businesses
around the world. Sadly, it could also be used by attackers to own Skype
users' machines.
Within this feature any Skype user can add a new business and review an
existing business. Skype does a great job sanitizing the data provided in
the business item entry, and also the text provided in the user's reviews.
Unfortunately, they forgot to sanitize the full name of the reviewers. So,
an attacker can inject a malicious script in his Skype's Full Name, and
whenever a victim will view a business which was reviewed by the attacker,
in the SkypeFind dialog, the malicious script will be executed in an
unlocked Local Zone!
I've contacted Skype security team, and they have provided a quick server
side fix for the full name issue.
Unfortunately, this is not enough! I'm worried that there are probably other
ways to inject a script to this dialog.
I advised Skype to disable this feature until they provide a patch for the
cross-zone scripting vulnerability. For no good reason, they have decided to
decline my advice.
More information:
http://aviv.raffon.net/2008/01/31/AttackersCanSkypeFindYou.aspx
--Aviv.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
