Skype bug may expose users to malicious code
L33tdawg: If you're coming for HITB2011KUL in October, don't miss Benjamin Kunz's Skype Vulnerabilities: Zero Day Exploitation 2011 talk
The latest version of Skype for Windows contains a security vulnerability that allows attackers to inject potentially dangerous code into a user's phone session, a German security researcher has reported.
The XSS, or cross-site scripting, vulnerability in Skype 5.5.0.113 is the result of the voice-over-IP client failing to inspect user-supplied phone numbers for malicious code, researcher Levent Kayan said. As a result, attackers might be able to exploit the bug to inject commands or scripts that hijack the machine running the program.
“An attacker could for example inject HTML/JavaScript code,” Kayan wrote in an advisory published on Wednesday. “It has not been verified though, if it's possible to hijack cookies or to attack the underlying operating system.” An attacker might also exploit the vulnerability to remotely execute malicious JavaScript files on external websites, he said.