Worm scare kills Skype Video sharing

A Skype feature that allows users to share videos form MetaCafe.com and DailyMotion.com has been disabled due to a worm vulnerability.

Last week Raff showed how attackers could exploit the bug to run unauthorized software on a Skype user’s PC. But on Tuesday, the security researcher said the flaw was more serious than he’d first thought. It can “be triggered by simply visiting a Web site, or clicking on a link from your instant messaging application,” he wrote in a blog posting, “Which basically means that this vulnerability is now wormable.”
For Raff’s attack to work, an attacker would have to post a maliciously encoded video file to either of the Metacafe or Dailymotion Web sites. Metacafe said Tuesday that it’s “highly unlikely” that this kind of malicious video would make it through the site’s content-filtering process.

In a statement, the company said it expects Metacafe videos to be available to Skype users as early as Wednesday morning.

Raff said that because the attack could lead to a widespread worm outbreak, it would be better for Skype to fix the underlying problem before bringing Metacafe back online.

Raff believes that Dailymotion was probably susceptible to this type of attack as well, although he was unable to confirm this after Skype cut off access to the Web site.

The problem lies in the fact that Skype uses a Windows Internet Explorer (IE) component with inappropriate security settings, researchers say. Instead of processing pages it renders with the more secure “Internet Zone” security setting, Skype uses IE’s “Local Zone” security setting, usually reserved for more trustworthy content. (from Yahoo News)

VOIP and chat applications continue to be a growing target for developers of of malicious programs. The risks of being caught are small with large rewards for many. Developers and users need to be more vigilant in implementing and using new features. Better publicly accessible tools are needed to enable the average Joe to trace malicious software to its origin, and developers should also devote attention to this along with feature creep. In a Third Pipe world, the criminals should be under the watchful eye of the many, not the few.