Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0097 -- [Win] Skype Cross Zone Scripting Vulnerability 29 January 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Skype 3.5.x and 3.6.x Publisher: Skype Operating System: Windows Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2008-0454 Original Bulletin: http://skype.com/security/skype-sb-2008-001-update1.html http://skype.com/security/skype-sb-2008-001-update1.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ________________________________________ SKYPE SECURITY BULLETIN SKY-CERT Bulletin title: Skype Cross Zone Scripting Vulnerability Bulletin ID: SKYPE-SB/2008-001 Bulletin status: PRELIMINARY Date of announcement: 2008-01-23 9:00:00 +0000 Products affected: Skype for Windows Vulnerability type: Code injection CVE references: Risk assessment: HIGH CVSS base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Cross-references: http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx http://seclists.org/fulldisclosure/2008/Jan/0328.html Table of contents: 1. Problem description and brief discussion 2. Impact and affected software 3. Solution or work-around 4. Special instructions and notes 5. Software download location 6. Authenticity verification 7. Common Vulnerability Scoring System (CVSS) assessment 8. Credits and additional information 9. Bulletin release history 10. Notices ________________________________________________________________________ 1. Problem description and brief discussion Description ----------- Skype uses Internet Explorer web control to render HTML content. This is used also for providing "add video to mood" and "add video to chat" functionality. This is realized over JS/ActiveX interface which allows scripts to be run in Local Zone security context of IE. In order to exploit this an attacker must exploit code injection vulnerability at the partner site. Such vulnerability has been discovered in Dailymotion website. Similar vulnerability has been now detected also in Metacafe Pro video submission software. Discussion ---------- An attacker who constructs a Title of the video in a specific way in the Dailymotion gallery can cause arbitrary code to be executed on targets PC. For the vulnerability to be triggered, the target must find this video in Skype video gallery browser section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used. Details of vulnerability in Metacafe have not been disclosed. However the PoC has been enhanced in a way which enables to refer to the malicious video through a Skype uri which in turn can be sent directly to victims. The proof of concept has been published by Aviv Raff and Miroslav Lucinskij. ________________________________________________________________________ 2. Impact and affected software Impact ------ A user of Skype for Windows, who has his/her Skype running and follows a link to specially crafted video may experience execution of arbitrary code without consent. Affected Software ----------------- The following Skype clients are vulnerable to this attack: Skype for Windows: All releases including 3.5.* and 3.6.* ________________________________________________________________________ 3. Solution or work-around Skype has temporarily disabled users' ability to browse videos from Dailymotion's gallery until an official fix has been made available. Skype has now fully disabled video adding from gallery until an official fix has been made available. ________________________________________________________________________ 4. Special instructions and notes None. ________________________________________________________________________ 5. Software download location The preferred method for installing security updates is to download the software directly from Skype's website, from the website of Skype's authorized partners, or from a reliable mirror site. Skype may also be safely downloaded from other locations, but in this case it is particularly important that you verify the authenticity of the download. We recommend that once you download any Skype software that you verify its integrity by the methods listed in Section 6 of this Bulletin. x86 platform, Microsoft Windows 2000 or Microsoft Windows XP: http://www.skype.com/products/skype/windows/ x86 platform, Linux: http://www.skype.com/products/skype/linux/ PPC and x86 platforms, Mac OS X v10.3.9 or later: http://www.skype.com/products/skype/macosx/ Pocket PC platform, Microsoft Windows Mobile 2003: http://www.skype.com/products/skype/pocketpc/ ________________________________________________________________________ 6. Authenticity verification - Bulletin authenticity verification: Skype security bulletins are published on Skype's web site and via mailing lists. The authenticity and integrity of a Skype security bulletins may be determined by inspecting the crypto- graphic signature that is attached to each bulletin. All Skype security bulletins are published with a valid digital signature produced by PGP. - Software authenticity verification: Both the Skype installer program and the Skype program that is installed by the installer are digitally signed. For Skype software built for Microsoft Windows and Mac OSX operating environments, the digital certificate used by Skype to sign software packages is signed by "VeriSign Class 3 Code Signing 2004 CA". For Skype software built for Linux platforms, all packages are signed by PGP key ID 0xD66B746E, the public component of which may be downloaded from http://www.skype.com/products/skype/linux/. - For general information about Skype security, please visit the Skype Security Resource Center at http://www.skype.com/security/. ________________________________________________________________________ 7. Common Vulnerability Assessment System (CVSS) assessment Skype has rated the issue covered by this Security Bulletin under the CVSS scheme as follows: Base metrics as of 2008-01-23: Access Vector (AV) ........... Network Access Complexity (AC) ....... Low Authentication (Au) .....,.... Not Required Confidentiality Impact (C) ... Complete Integrity Impact (I) ......... Complete Availability Impact (A) ...... Complete Computed CVSS base score: 10.0 Temporal metrics as of 2008-01-23 Exploitability (E) ........... Functional Remediation Level (RL) ....... Workaround Report Confidence (RC) ....... Confirmed Computed CVSS temporal score: 9.0 Skype participates in the CVSS by rating each identifiable security vulnerability against the CVSS base metrics. In addition, Skype may rate each vulnerability against temporal metrics from time to time. As suggested by the name, temporal metrics for a particular vulnerability may change from time to time. More information about the CVSS may be obtained from the CVSS host website at http://www.first.org/cvss/. ________________________________________________________________________ 8. Credits and additional information Skype would like to thank and credit Aviv Raff for having referred this problem to Skype. ________________________________________________________________________ 9. Bulletin release history 2008-01-18 Initial bulletin release 2008-01-23 Bulletin updated ________________________________________________________________________ 10. Notices Copyright 2006 Skype Technologies, S.A. All rights reserved. This Skype Security Bulletin may be reproduced and distributed, provided that the Bulletin is not modified in any way and is attributed to Skype Technologies, S.A. and provided that repro- duction and distribution is performed for non-commercial purposes. This Skype Security Bulltin is provided to you on an "AS IS" basis and may contain information provided by third parties. Skype makes no guarantees or warranties as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. ======================================================================== To report a security issue to Skype, please send an e-mail that describes the problem or vulnerability to <security@skype.com>. Please consider securing any reports that disclose security vulnerabilities by encrypting them using the current PGP key of the Skype Computer Emergency Response Team (SKY-CERT), PGP key ID 0xAD2DF320. ======================================================================== - -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1202) wsBVAwUBR5cGO05QOg6tLfMgAQgWLwf/V5pHtALvPgDJuTtYb46QQArCPum6qY9o 16U+hpXw5HlK4PKeJgEJdNpTy8AgDJJ8mx20f7hSgbfkfOR1pI70E0Hh98HL1p1x hdU2DgNh4ADITTiX1MgrIa9SKy5gWUbSgTg3EKeheiEwFC69bvFETlGdzPpHg0xT P8cIn8zbezDaZcbO4VHGWr9fksX9WK2iIazQEYVVJZmy5kbNujb3ig9hVUKgbtzu b92VKv5Ttc9FrJPdgcAs2niurJytTmPTQhobrzqSSRfbVAkqIlTZ6deyRqBgfvdG fXiFPvzuEdWlRmORNUXdbgywtvaTiHZSE0UiWWFCwDe4XAfgKjUrTw== =kI8l - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR57C2ih9+71yA2DNAQLKAAP+NF95g5gQTm3zMoOJyXXDFh2ZeAUztr+e iamsG9PC2II86g6mkdETTNawPgm20JrUm6Z3Em5eAgtYM1TcwPC2wTUHVCjrz5+F Gjc+NJaZb7Ry5gNHf8o8uUSHUOYaz7yzJhmoMy06GHTLVi2cVmqY26ZoHt2122Iq zx20oWHx/nQ= =uNvF -----END PGP SIGNATURE-----