Skype's web control opens a door to attacks. This was dug up by a security researcher called Aviv Raff who revealed a vulnerable side of Skype which would allow malicious code intrusion giving certain conditions. This is possible because the program utilizes Internet Explorer to render internal and external HTML, but does so using "Local Zone" security settings.
For this bug to be successfully used would be necessary that some malware authors locate a trusted site having a cross-zone scripting error. Such errors are not uncommon, on the contrary; what they actually do is allowing the implementation of potentially dangerous scripts as if they carried higher permissions than they actually do.
These kind of scripts present a far-ranging potential for applications and the danger comes from the fact that many such applications could be initiated without being entirely blocked or even detected.
As security researcher Petko Petkov explained, "When a given resource executes within the Local Zone context, all sorts of things are possible like, including but not only, reading/writing files from the local disc and launching executables through the WSH primitives."
The problem with Skype lies in its video searches function which considerably raises the level of risk owing to its vulnerability to cross-site scripting. That’s why, although so far, there was no discovery of infected videos, any of the movies placed on the website could be potential containers of such a script.
The newly discovered bug represents at present a threat for Skype v.3.6.0.244; nevertheless it may also be located in older editions of the client. Currently, the best way to deal with it would probably be not to run video searches using Skype. If you merely have the program installed on your computer and use its other different functions you don’t have to worry because you actually don’t risk having your system infected.
