Tweet
HACKER CLAIMS SKYPE STILL VULNERABLE
By Michael Lee
ZDNet Australia
http://www.zdnet.com.au/hacker-claims-skype-still-vulnerable-339318566.htm
July 15 2011
An Armenian hacker is claiming that Skype has failed to learn from
prior security lessons, falling victim to a cross-site scripting (XSS)
vulnerability similar to one it patched in May, which would allow
users to redirect victims to unwanted websites or run arbitrary code.
The May vulnerability allowed users to fool the Mac client of Skype
into running arbitrary code as the client didn't check, or sanitise,
instant messages to ensure they were free of malicious code.
While Skype issued a low-priority patch at the time, a 28-year-old
Armenian-based security engineer, Levent "noptrix" Kayan, claimed on
Wednesday night that a similar XSS vulnerability existed elsewhere
in Skype's software.
He said that the failure to sanitise certain user information or the
output rendered in Skype clients could still allow code to be executed.
In particular, Kayan claimed that he could see remote users' session
information, which he said a malicious user could utilise to masquerade
as the remote user and make calls on their account.
He also said it could be used to take advantage of other holes,
possibly allowing full control over the PC. Both of the latest versions
of Windows and Mac clients are affected.
He told ZDNet Australia: "An attacker would need to [submit] malicious
code. The victim doesn't have to do anything. He will be attacked,
when he just logs into his account."
Skype said the vulnerability was considered a minor issue and that
it had developed a fix for it which would be deployed next week.
Skype's head of information security, Adrian Asher, said that in
order to exploit this, a person would have to be a validated contact
of yours and one of the most frequent people you are in contact with
and was therefore very unlikely to cause any issues in the real world.
Nevertheless, he said the vulnerability shouldn't have existed and
it would be fixed.
Additionally, Skype said that the session information that Kayan had
been able to access was in relation to the web session IDs and not
Skype IDs, suggesting that the attacker couldn't make calls using the
exploit. It did, however, concede that it was possible for a victim's
contacts to redirect them to any website using the web browser built
into the Skype client, but stressed that only validated contacts
would be able to do so. In the meantime, it said users should not
authorise people they do not know and/or do not want to talk to.
HackLabs director, Chris Gatford, said that it was common to come
across these sorts of vulnerabilities in the work penetration testing
of client systems his company does.
"I would suggest that 80 per cent, perhaps even 90 per cent of the
time, cross-site scripting vulnerabilities are present," he said.
Gatford mentioned the previous XSS vulnerability in the Skype client
and thought that it was surprising that Skype had not patched all
of its input validation problems when it was previously brought to
its attention.
"This would be a simple fix for them. To be honest, I'm kind of
surprised they didn't learn their lesson the first time and extend
the fix system-wide then."
From: A. Papazian
By Michael Lee
ZDNet Australia
http://www.zdnet.com.au/hacker-claims-skype-still-vulnerable-339318566.htm
July 15 2011
An Armenian hacker is claiming that Skype has failed to learn from
prior security lessons, falling victim to a cross-site scripting (XSS)
vulnerability similar to one it patched in May, which would allow
users to redirect victims to unwanted websites or run arbitrary code.
The May vulnerability allowed users to fool the Mac client of Skype
into running arbitrary code as the client didn't check, or sanitise,
instant messages to ensure they were free of malicious code.
While Skype issued a low-priority patch at the time, a 28-year-old
Armenian-based security engineer, Levent "noptrix" Kayan, claimed on
Wednesday night that a similar XSS vulnerability existed elsewhere
in Skype's software.
He said that the failure to sanitise certain user information or the
output rendered in Skype clients could still allow code to be executed.
In particular, Kayan claimed that he could see remote users' session
information, which he said a malicious user could utilise to masquerade
as the remote user and make calls on their account.
He also said it could be used to take advantage of other holes,
possibly allowing full control over the PC. Both of the latest versions
of Windows and Mac clients are affected.
He told ZDNet Australia: "An attacker would need to [submit] malicious
code. The victim doesn't have to do anything. He will be attacked,
when he just logs into his account."
Skype said the vulnerability was considered a minor issue and that
it had developed a fix for it which would be deployed next week.
Skype's head of information security, Adrian Asher, said that in
order to exploit this, a person would have to be a validated contact
of yours and one of the most frequent people you are in contact with
and was therefore very unlikely to cause any issues in the real world.
Nevertheless, he said the vulnerability shouldn't have existed and
it would be fixed.
Additionally, Skype said that the session information that Kayan had
been able to access was in relation to the web session IDs and not
Skype IDs, suggesting that the attacker couldn't make calls using the
exploit. It did, however, concede that it was possible for a victim's
contacts to redirect them to any website using the web browser built
into the Skype client, but stressed that only validated contacts
would be able to do so. In the meantime, it said users should not
authorise people they do not know and/or do not want to talk to.
HackLabs director, Chris Gatford, said that it was common to come
across these sorts of vulnerabilities in the work penetration testing
of client systems his company does.
"I would suggest that 80 per cent, perhaps even 90 per cent of the
time, cross-site scripting vulnerabilities are present," he said.
Gatford mentioned the previous XSS vulnerability in the Skype client
and thought that it was surprising that Skype had not patched all
of its input validation problems when it was previously brought to
its attention.
"This would be a simple fix for them. To be honest, I'm kind of
surprised they didn't learn their lesson the first time and extend
the fix system-wide then."
From: A. Papazian