Skype cross zone scripting vulnerability details and video

Skype uses Internet Explorer web control to render HTML content. This is used also for providing “add video to mood” and “add video to chat” functionality.

This is realized over JS/ActiveX interface which allows scripts to be run in Local Zone security context of IE.

In order to exploit this an attacker must exploit code injection vulnerability at the partner site. Such vulnerability has been discovered in Dailymotion website.

An attacker who constructs a Title of the video in a specific way can cause arbitrary code to be executed on targets PC.

For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion’s section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used.

A user of Skype for Windows who navigates to the video with specially crafted Title from Dailymotion in Skype’s video gallery may experience execution of arbitrary code without consent.

All Windows releases including 3.5.* and 3.6.* are vulnerable to this attack.

The proof of concept has been made public by Aviv Raff and Miroslav Lucinskij. Here’s a video demonstration: