Worm fears shut down Skype video feature

Skype has disabled a video-sharing feature because of security concerns.

Skype has been forced to turn off a video-sharing feature in its software because it could be misused to launch a self-copying worm attack against Skype users, security researchers said Tuesday.

A bug in the software, which was first reported last Thursday by security researcher Aviv Raff, stems from the way Skype uses an Internet Explorer component to render HTML.

Skype's video-sharing feature allows users to share videos hosted on two sites -- Dailymotion.com and Metacafe.com -- while chatting with other Skype users.

Last week Raff showed how attackers could exploit the bug to run unauthorized software on a Skype user's PC. But on Tuesday, the security researcher said the flaw was more serious than he'd first thought. It can "be triggered by simply visiting a Web site, or clicking on a link from your instant messaging application," he wrote in a blog posting, "Which basically means that this vulnerability is now wormable."

Skype appeared to have pulled the video feature from its client software on Tuesday as a result of the bug. Users who attempted to click on the "videos" button within a chat window were greeted with a message that the feature was unavailable "because of some security concerns."

"Our brightest engineers are rattling their wrenches to make things all right and bring the beloved videos back. Soon," the message read. "Sorry about this."

Skpe representatives did not return calls seeking comment. Last week, Skype spokesman Villu Arak confirmed that there was a security problem for Skype 3.5 and 3.6 users who visited the Dailymotion.com Web site, but users were still able to share videos using Metacafe.com.

On Tuesday, however, Skype pulled the video feature altogether after being informed of the new problem, Raff said.

Because Metacafe had a cross-site scripting flaw, a common type of programming error, Raff was able to run JavaScript on Metacafe.com, which could then be used to run unauthorized software on the victim's computer. Attackers could then forward a link to the malicious Web page to all of the Skype contacts in the victim's computer, spreading the infection.

For Raff's attack to work, an attacker would have to post a maliciously encoded video file to either of the Metacafe or Dailymotion Web sites. Metacafe said Tuesday that it's "highly unlikely" that this kind of malicious video would make it through the site's content-filtering process.

In a statement, the company said it expects Metacafe videos to be available to Skype users as early as Wednesday morning.

Raff said that because the attack could lead to a widespread worm outbreak, it would be better for Skype to fix the underlying problem before bringing Metacafe back online.

Raff believes that Dailymotion was probably susceptible to this type of attack as well, although he was unable to confirm this after Skype cut off access to the Web site.

The problem lies in the fact that Skype uses a Windows Internet Explorer (IE) component with inappropriate security settings, researchers say. Instead of processing pages it renders with the more secure "Internet Zone" security setting, Skype uses IE's "Local Zone" security setting, usually reserved for more trustworthy content.

Until Skype engineers make some changes to their software, more of these problems will continue to pop up, Raff said.

Another security researcher who has been studying the flaw agreed.

"If they keep their Skype client running in the Local Zone of IE, we will see more of these," said Petko Petkov of GNU Citizen via instant message. "Before killing Metacafe, anyone that owns the server would have been able to own every Skype user on the planet."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?