As the usage of VoIP
based services increases, cyber criminals are motivated to find security loopholes in various VoIP systems and use those holes to their advantage. One of the latest such loopholes is a programming error in eBay's (News
) Skype communications software could give online evil-doers a new way to sneak their malicious software onto a victim's PC.
Although all versions of Skype (News
) are at risk, the flaw mostly affects the latest, Skype 126.96.36.199, InfoWorld Daily reported.
Security researcher Aviv Raff said in the InfoWorld Daily report that the flaw relates to Skype’s method of using a Windows Internet Explorer component to render HTML
. An attacker can use the flaw to attempt to install dangerous software on a victim’s machine.
InfoWorld Daily mentioned a video posted to Raff’s blog, showing how a cross-zone scripting flaw on the Dailymotion.com Web site could be exploited to launch the calculator program in Windows, using Skype's "Add video to chat" feature. Raff wrote: “The user simply needs to visit DailyMotion via Skype’s 'Add video to chat' button and stumble upon a move which contains the cross-site scripting vector.”
Finding a Web site that contains cross-zone scripting error, which is also called a common programming flaw, is very important for an attacker wanting to use the Skype loophole. The flaw allows hackers to trick Skype into believing that a program comes from a trusted source. Once the hackers have tricked Skype, they can easily flood the site with maliciously encoded advertisements in order to boost the likelihood of infecting a victim.
In the InfoWorld Daily report, Raff said there are currently no remedies for the security hole, and suggested that Skype users stop searching for videos until developers come up with a solution for the problem.
Don’t forget to check out TMCnet’s White Paper Library, which provides a selection of in-depth information on relevant topics affecting the IP Communications industry. The library offers whitepapers, case studies and other documents which are free to registered users. Today’s featured white paper is Achieving a Successful IP Telephony Transition, brought to you by Communicado (News - Alert).
Raju Shanbhag is a contributing editor for TMCnet. To read more of Raju’s articles, please visit his columnist page.