This is realized over JS/ActiveX interface which allows scripts to be run in Local Zone security context of IE.
In order to exploit this an attacker must exploit code injection vulnerability at the partner site. Such vulnerability has been discovered in Dailymotion website.
An attacker who constructs a Title of the video in a specific way can cause arbitrary code to be executed on targets PC.
For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used.
A user of Skype for Windows who navigates to the video with specially crafted Title from Dailymotion in Skype's video gallery may experience execution of arbitrary code without consent.
All Windows releases including 3.5.* and 3.6.* are vulnerable to this attack.
The proof of concept has been made public by Aviv Raff and Miroslav Lucinskij. Here's a video demonstration:
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.