How Dangerous Is It?
For Raff's attack to work, an attacker would have to post a maliciously encoded video file to either of the Metacafe or Dailymotion Web sites. Metacafe said Tuesday that it's "highly unlikely" that this kind of malicious video would make it through the site's content-filtering process.
In a statement, the company said it expects Metacafe videos to be available to Skype users as early as Wednesday morning.
Raff said that because the attack could lead to a widespread worm outbreak, it would be better for Skype to fix the underlying problem before bringing Metacafe back online.
Raff believes that Dailymotion was probably susceptible to this type of attack as well, although he was unable to confirm this after Skype cut off access to the Web site.
The problem lies in the fact that Skype uses a Windows Internet Explorer (IE) component with inappropriate security settings, researchers say. Instead of processing pages it renders with the more secure "Internet Zone" security setting, Skype uses IE's "Local Zone" security setting, usually reserved for more trustworthy content.
Until Skype engineers make some changes to their software, more of these problems will continue to pop up, Raff said.
Another security researcher who has been studying the flaw agreed.
"If they keep their Skype client running in the Local Zone of IE, we will see more of these," said Petko Petkov of GNU Citizen via instant message. "Before killing Metacafe, anyone that owns the server would have been able to own every Skype user on the planet."
Ad Choices