Skype cross-zone scripting vulnerability now fixed
By
Villu Arak on February 6, 2008 in Reviews and news, Skype security features.
We recently disabled the ability to use Skype’s Live tab to download clips from the Dailymotion and Metacafe video galleries. We took this step as a cautionary measure after security researchers found a vulnerability in Skype 3.5 and 3.6 for Windows that would have allowed an attacker to execute arbitrary code on a Skype user’s Windows PC without their consent.
As we said in our post on January 18, the measure would be temporary. That is, until an official fix to the vulnerability would be made available. We are pleased to report that the core vulnerability has now been addressed and a fix is included in the latest build of Skype for Windows, 3.6.0.248.
For those who have upgraded to the latest build, we have now re-enabled video downloads from both Dailymotion and Metacafe. Users of older versions of Skype for Windows will not be able to access these video galleries and will need to upgrade.
Last but not least, we’d like to encourage all users to frequently upgrade their version of Skype. This helps ensure that the Skype experience is safer and more enjoyable.
Comments
Hello!
I just discovered this bug/design flaw that allows 3rd parties to view communication on a compromised account. Is this a "feature" or was it simply overlooked? Comments are appreciated!
"SKYPE design flaw or security hole? Man-in-the-middle listening & logging"
http://www.sigg3.net/entry/1177
sigg3net | Thursday, Feb 7
While the following information ( http://www.secdev.org/conf/skype_BHEU06.handout.pdf ) is not exactly current, I have run into a few IT security specialists who have qouted this information as recently as this year as a major reason why a company should avoid Skype as an Internet-based (VoIP) communications solution.
For most of us, this is way about there. But it may be worth while if Skype could address a few of these concerns so people like me can fire back with good reasons why Skype is not a security risk as an IT solution as of today.
tls.kevin.davis | Wednesday, Feb 13
While the following information ( http://www.secdev.org/conf/skype_BHEU06.handout.pdf ) is not exactly current, I have run into a few IT security specialists who have qouted this information as recently as this year as a major reason why a company should avoid Skype as an Internet-based (VoIP) communications solution.
For most of us, this is way out there. But it may be worth while if Skype could address a few of these concerns so people like me can fire back with good reasons why Skype is not a security risk as an IT solution as of today.
tls.kevin.davis | Wednesday, Feb 13
I'm an educator in Pennsylvania and I am helping educators from all over win the battle to allow Skype for teachers. Most district block Skype. I am building some information here to win the case in my own district. We need to win the battle against IT personnel who view Skype as a threat to our network. Anyone, please drop in and help this cause.
http://forwardslant.blogspot.com
http://eduwikius.wikispaces.com/skype
tommcgee | Monday, Feb 18