Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                          ESB-2008.0097 -- [Win]
                 Skype Cross Zone Scripting Vulnerability
                              29 January 2008


        AusCERT Security Bulletin Summary

Product:              Skype 3.5.x and 3.6.x
Publisher:            Skype
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-0454

Original Bulletin:    http://skype.com/security/skype-sb-2008-001-update1.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA256


SKYPE SECURITY BULLETIN                                         SKY-CERT

  Bulletin title:          Skype Cross Zone Scripting Vulnerability
  Bulletin ID:             SKYPE-SB/2008-001
  Bulletin status:         PRELIMINARY
  Date of announcement:    2008-01-23 9:00:00 +0000
  Products affected:       Skype for Windows
  Vulnerability type:      Code injection
  CVE references:          
  Risk assessment:         HIGH
  CVSS base score:         10.0
  Table of contents:

  1.  Problem description and brief discussion
  2.  Impact and affected software
  3.  Solution or work-around
  4.  Special instructions and notes
  5.  Software download location
  6.  Authenticity verification
  7.  Common Vulnerability Scoring System (CVSS) assessment
  8.  Credits and additional information
  9.  Bulletin release history
  10. Notices


1.  Problem description and brief discussion

    Skype uses Internet Explorer web control to render HTML content. 
    This is used also for providing "add video to mood" and 
    "add video to chat"  functionality. 
    This is realized over JS/ActiveX interface which allows scripts 
    to be run in Local Zone security context of IE.
    In order to exploit this an attacker must exploit code injection 
    vulnerability at the partner site. Such vulnerability has been 
    discovered in Dailymotion website.
    Similar vulnerability has been now detected also in Metacafe Pro 
    video submission software.

    An attacker who constructs a Title of the video in a specific way
    in the Dailymotion gallery can cause arbitrary code to be executed 
    on targets PC. For the vulnerability to be triggered, the target 
    must find this video in Skype video gallery browser section. Watching 
    the video in a Skype chat or in a mood message is safe, as Internet 
    Explorer control is not used. 
    Details of vulnerability in Metacafe have not been disclosed. However
    the PoC has been enhanced in a way which enables to refer to the
    malicious video through a Skype uri which in turn can be sent directly
    to victims.
    The proof of concept has been published by Aviv Raff and Miroslav 

2.  Impact and affected software


    A user of Skype for Windows, who has his/her Skype running and 
    follows a link to specially crafted video may experience execution 
    of arbitrary code without consent.

    Affected Software

    The following Skype clients are vulnerable to this attack:

    Skype for Windows:
      All releases including 3.5.* and 3.6.*


3.  Solution or work-around

    Skype has temporarily disabled users' ability to browse videos from 
    Dailymotion's gallery until an official fix has been made available.
    Skype has now fully disabled video adding from gallery until an 
    official fix has been made available.

4.  Special instructions and notes



5.  Software download location

    The preferred method for installing security updates is to download
    the software directly from Skype's website, from the website of
    Skype's authorized partners, or from a reliable mirror site.  Skype
    may also be safely downloaded from other locations, but in this
    case it is particularly important that you verify the authenticity
    of the download.

    We recommend that once you download any Skype software that you
    verify its integrity by the methods listed in Section 6 of this

    x86 platform, Microsoft Windows 2000 or Microsoft Windows XP:

    x86 platform, Linux:

    PPC and x86 platforms, Mac OS X v10.3.9 or later:

    Pocket PC platform, Microsoft Windows Mobile 2003:


6.  Authenticity verification

    - Bulletin authenticity verification:

      Skype security bulletins are published on Skype's web site and
      via mailing lists.  The authenticity and integrity of a Skype
      security bulletins may be determined by inspecting the crypto-
      graphic signature that is attached to each bulletin.  All Skype
      security bulletins are published with a valid digital signature
      produced by PGP.

    - Software authenticity verification:

      Both the Skype installer program and the Skype program that is
      installed by the installer are digitally signed.

      For Skype software built for Microsoft Windows and Mac OSX operating
      environments, the digital certificate used by Skype to sign
      software packages is signed by "VeriSign Class 3 Code Signing 2004

      For Skype software built for Linux platforms, all packages are
      signed by PGP key ID 0xD66B746E, the public component of which may
      be downloaded from http://www.skype.com/products/skype/linux/.

    - For general information about Skype security, please visit the
      Skype Security Resource Center at http://www.skype.com/security/.


7.  Common Vulnerability Assessment System (CVSS) assessment

    Skype has rated the issue covered by this Security Bulletin under
    the CVSS scheme as follows:

    Base metrics as of 2008-01-23:

    Access Vector (AV) ........... Network
    Access Complexity (AC) ....... Low
    Authentication (Au) .....,.... Not Required
    Confidentiality Impact (C) ... Complete
    Integrity Impact (I) ......... Complete
    Availability Impact (A) ...... Complete

    Computed CVSS base score:  10.0

    Temporal metrics as of 2008-01-23

    Exploitability (E) ........... Functional
    Remediation Level (RL) ....... Workaround
    Report Confidence (RC) ....... Confirmed

    Computed CVSS temporal score:  9.0

    Skype participates in the CVSS by rating each identifiable security
    vulnerability against the CVSS base metrics.  In addition, Skype
    may rate each vulnerability against temporal metrics from time to
    time.  As suggested by the name, temporal metrics for a particular
    vulnerability may change from time to time.

    More information about the CVSS may be obtained from the CVSS host
    website at http://www.first.org/cvss/.


8.  Credits and additional information
    Skype would like to thank and credit Aviv Raff for having referred 
    this problem to Skype.

9.  Bulletin release history

    2008-01-18   Initial bulletin release
    2008-01-23   Bulletin updated


10. Notices

    Copyright 2006 Skype Technologies, S.A.  All rights reserved.

    This Skype Security Bulletin may be reproduced and distributed,
    provided that the Bulletin is not modified in any way and is
    attributed to Skype Technologies, S.A. and provided that repro-
    duction and distribution is performed for non-commercial purposes.

    This Skype Security Bulltin is provided to you on an "AS IS" basis
    and may contain information provided by third parties.  Skype makes
    no guarantees or warranties as to the information contained herein.


To report a security issue to Skype, please send an e-mail that
describes the problem or vulnerability to <security@skype.com>.  Please
consider securing any reports that disclose security vulnerabilities by
encrypting them using the current PGP key of the Skype Computer
Emergency Response Team (SKY-CERT), PGP key ID 0xAD2DF320.


Version: PGP Desktop 9.5.0 (Build 1202)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967