Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                          ESB-2008.0124 -- [Win]
               Skypefind Cross Zone Scripting Vulnerability
                              6 February 2008


        AusCERT Security Bulletin Summary

Product:     and prior
Publisher:            Skype
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-0582 CVE-2008-0583

Original Bulletin:    http://skype.com/intl/en/security/skype-sb-2008-002.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SKYPE-SB/2008-002: Skypefind Cross Zone Scripting Vulnerability

   Bulletin title:       Skypefind Cross Zone Scripting Vulnerability
   Bulletin ID:          SKYPE-SB/2008-002
   Bulletin status:      FINAL
   Date of announcement: 2008-01-31 11:00:00 +0000
   Products affected:    Skype for Windows
   Vulnerability type:   Cross Zone Scripting
   CVE references:      
   Risk assessment:      MEDIUM
   CVSS base score:      7.8 (AV:N/AC:M/Au:Mu/C:C/I:C/A:C)

Table of contents:

    1. Problem description and brief discussion
    2. Impact and affected software
    3. Solution or work-around
    4. Special instructions and notes
    5. Software download location
    6. Authenticity verification
    7. Common Vulnerability Scoring System (CVSS) assessment
    8. Credits and additional information
    9. Bulletin release history
   10. Notices

1. Problem description and brief discussion


   Skype uses Internet Explorer web control to render HTML content for
   different webapplications, including SkypeFind.

   A vulnerability has been found in the Skypefind which allows attacker
   to execute arbitrary code when victim is navigating to the SkypeFind
   directory item (business contact) which submitted in special way.

   There is one important precondition for the exploit to work: victim
   must receive Skype contact request authorization from the attacker's
   Skype account.

   This vulnerability is exploitable because of security zone elevation
   vulnerability in skype client (see Skype Security Bulletin
   SKYPE-SB/2008-001 and links in Cross References section above) which
   allows scripts to be run in Local Zone security context in IE web
   control used to render SkypeFind content.

2. Impact and affected software


   A user of Skype for Windows who either a) navigates directly to the
   SkypeFind specially submitted business contact or b) when searching
   for business contacts is presented with result page which includes
   specially submitted business contact may experience execution of
   arbitrary code without consent.

Affected software

3. Solution or work-around

   Skype has fixed the vulnerability in Skypefind

4. Special instructions and notes


5. Software download location

   The preferred method for installing security updates is to download
   the software directly from Skype's website, from the website of
   Skype's authorized partners, or from a reliable mirror site. Skype may
   also be safely downloaded from other locations, but in this case it is
   particularly important that you verify the authenticity of the

   We recommend that once you download any Skype software that you verify
   its integrity by the methods listed in Section 6 of this Bulletin.

   x86 platform, Microsoft Windows 2000 or Microsoft Windows XP:

   x86 platform, Linux: http://www.skype.com/download/skype/linux/

   PPC and x86 platforms, Mac OS X v10.3.9 or later:

   Pocket PC platform, Microsoft Windows Mobile 2003:

6. Authenticity verification

   - Bulletin authenticity verification:

   Skype security bulletins are published on Skype's web site and via
   mailing lists. The authenticity and integrity of a Skype security
   bulletins may be determined by inspecting the crypto- graphic
   signature that is attached to each bulletin. All Skype security
   bulletins are published with a valid digital signature produced by

   - Software authenticity verification:

   Both the Skype installer program and the Skype program that is
   installed by the installer are digitally signed.

   For Skype software built for Microsoft Windows and Mac OSX operating
   environments, the digital certificate used by Skype to sign software
   packages is signed by "VeriSign Class 3 Code Signing 2004 CA".

   For Skype software built for Linux platforms, all packages are signed
   by PGP key ID 0xD66B746E, the public component of which may be
   downloaded from http://www.skype.com/download/skype/linux/.

   - For general information about Skype security, please visit the Skype
   Security Resource Center at http://www.skype.com/security/.

7. Common Vulnerability Assessment System (CVSS) assessment

   Skype has rated the issue covered by this Security Bulletin under the
   CVSS scheme as follows:

   Base metrics as of 2008-01-31:

   Access Vector (AV) ........... Network
   Access Complexity (AC) ....... Medium
   Authentication (Au) .....,.... Multiple
   Confidentiality Impact (C) ... Complete
   Integrity Impact (I) ......... Complete
   Availability Impact (A) ...... Complete

   Computed CVSS base score: 7.8

   Temporal metrics as of 2008-01-31

   Exploitability (E) ........... proof-of-concept
   Remediation Level (RL) ....... official-fix
   Report Confidence (RC) ....... confirmed

   Computed CVSS temporal score: 6.1

   Skype participates in the CVSS by rating each identifiable security
   vulnerability against the CVSS base metrics. In addition, Skype may
   rate each vulnerability against temporal metrics from time to time. As
   suggested by the name, temporal metrics for a particular vulnerability
   may change from time to time.

   More information about the CVSS may be obtained from the CVSS host
   website at http://www.first.org/cvss/.

8. Credits and additional information

   Skype would like to thank Aviv Raff for having referred this problem
   to Skype in timely manner.

9. Bulletin release history

   2008-01-31 Initial bulletin release

10. Notices

   Copyright 2008 Skype Technologies, S.A. All rights reserved.

   This Skype Security Bulletin may be reproduced and distributed,
   provided that the Bulletin is not modified in any way and is
   attributed to Skype Technologies, S.A. and provided that repro-
   duction and distribution is performed for non-commercial purposes.

   This Skype Security Bulltin is provided to you on an "AS IS" basis and
   may contain information provided by third parties. Skype makes no
   guarantees or warranties as to the information contained herein. ANY

   To report a security issue to Skype, please send an e-mail that
   describes the problem or vulnerability to security@skype.com.
   Please consider securing any reports that disclose security
   vulnerabilities by encrypting them using the current PGP key of the
   Skype Computer Emergency Response Team (SKY-CERT), PGP key ID

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967