Skype Ltd. plugged yet another critical vulnerability today, but the researcher who reported the bug said that's not enough.
Noted vulnerability researcher Aviv Raff said that another Skype flaw, this one in the software's SkypeFind feature, can be used to inject attack script into systems running the application.
SkypeFind, which was introduced in Skype 3.1 for Windows, lets users recommend businesses to others running the voice-over-IP and chat client and write reviews of those businesses. "Sadly, it could also be used by attackers to own Skype users' machines," Raff said in a blog post.
Specifically, Skype neglects to sanitize reviewers' names, so attacks could replace their Skype names with malicious script. The result is striking, said Raff: "Whenever a victim view a business which was reviewed by the attacker, the malicious script will be executed in an unlocked Local Zone."
http://www.computerworld.com/action...action/article.do?command=viewArticleBasic&articleId=9060466&source=rss_topic17
Noted vulnerability researcher Aviv Raff said that another Skype flaw, this one in the software's SkypeFind feature, can be used to inject attack script into systems running the application.
SkypeFind, which was introduced in Skype 3.1 for Windows, lets users recommend businesses to others running the voice-over-IP and chat client and write reviews of those businesses. "Sadly, it could also be used by attackers to own Skype users' machines," Raff said in a blog post.
Specifically, Skype neglects to sanitize reviewers' names, so attacks could replace their Skype names with malicious script. The result is striking, said Raff: "Whenever a victim view
http://www.computerworld.com/action...action/article.do?command=viewArticleBasic&articleId=9060466&source=rss_topic17
