Worm Fears Shut Down Skype Video Feature

Today's Best Tech Deals

Picked by PCWorld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

Skype has been forced to turn off a video-sharing feature in its software because it could be misused to launch a self-copying worm attack against Skype users, security researchers said Tuesday.

A bug in the software, which was first reported last Thursday by security researcher Aviv Raff, stems from the way Skype uses an Internet Explorer component to render HTML.

Skype's video-sharing feature allows users to share videos hosted on two sites -- Dailymotion.com and Metacafe.com -- while chatting with other Skype users.

Exploit Shown

Last week Raff showed how attackers could exploit the bug to run unauthorized software on a Skype user's PC. But on Tuesday, the security researcher said the flaw was more serious than he'd first thought. It can "be triggered by simply visiting a Web site, or clicking on a link from your instant messaging application," he wrote in a blog posting, "Which basically means that this vulnerability is now wormable."

Skype appeared to have pulled the video feature from its client software on Tuesday as a result of the bug. Users who attempted to click on the "videos" button within a chat window were greeted with a message that the feature was unavailable "because of some security concerns."

"Our brightest engineers are rattling their wrenches to make things all right and bring the beloved videos back. Soon," the message read. "Sorry about this."

Skpe representatives did not return calls seeking comment. Last week, Skype spokesman Villu Arakconfirmed that there was a security problem for Skype 3.5 and 3.6 users who visited the Dailymotion.com Web site, but users were still able to share videos using Metacafe.com.

On Tuesday, however, Skype pulled the video feature altogether after being informed of the new problem, Raff said.

Because Metacafe had a cross-site scripting flaw, a common type of programming error, Raff was able to run JavaScript on Metacafe.com, which could then be used to run unauthorized software on the victim's computer. Attackers could then forward a link to the malicious Web page to all of the Skype contacts in the victim's computer, spreading the infection.

1 2 Page 1
Page 1 of 2
  
Shop Tech Products at Amazon