http://www.juiceapac.com/solutions

The move came a week after Israeli researcher Aviv Raff first reported a cross-zone scripting vulnerability in Skype that could be triggered by a malicious video uploaded to the Dailymotion video sharing service, one of two Skype video service partners. Raff's findings prompted Skype to temporarily disable access to Dailymotion last Thursday. Skype has yet to come up with a permanent fix.

Yesterday, Raff expanded on his research, saying a much more dangerous kind of attack could be crafted by exploiting a flaw in the video service of Metacafe Inc., the second Skype video partner. Access to Metacafe had been left open, even as Dailymotion's connection to Skype was severed. Raff coded a proof-of-concept exploit for the newest attack vector but did not share it publicly, as he had done with the Dailymotion proof-of-concept last week.

"This PoC can actually be triggered by simply visiting a Web site, or clicking on a link from your instant messaging application, which basically means that this vulnerability is now wormable!" Raff wrote in a post to his blog. "This is why I've decided not to publicly disclose the proof-of-concept, nor to show a video that might disclose too much information."

Raff's newest proof-of-concept relied on a malicious video file uploaded to Metacafe using special software that the site provides.

After he reported the new attack vector to Skype, access to Metacafe was first disabled, then mysteriously re-enabled, Raff said in an e-mail interview last night. By Wednesday morning, however, the Skype-Metacafe link was again broken. "It seems like bringing Metacafe back was probably a malfunction, and surely was not on purpose," Raff said.

Also on Wednesday, Skype revised the original security advisory from last week to account for Raff's newest findings, and to confirm that it had turned off the video spigot entirely.

"Skype has now fully disabled video adding from gallery until an official fix has been made available," the revamped bulletin read. That means Skype users can no longer pull in videos from Dailymotion or Metacafe using the "Add video to mood" or "Add video to chat" commands.

Skype has not set a timetable for producing a patch -- Versions 3.5 and 3.6 of the Windows edition of its software are the ones fingered by Skype as vulnerable -- but Raff believes a fix is straightforward. "Locking down the Local Zone is a simple registry change," he said via e-mail. "[Although] there might be other changes needed in order to preserve backward compatibility."

Villu Arak, a Skype spokesman, promised that the severed links to the partners would be reconnected at some point. "Both Dailymotion and Metacafe videos will be re-enabled as soon as an official fix has been made available," he said in an update to the Skype security blog today.

Skype, however, has not addressed another issue broached last week by a second researcher. According to Petko Petkov, a prolific penetration tester from the U.K., some Skype traffic, particularly its advertisements, is not encrypted and can be hijacked at public Wi-Fi hot spots then fed back to unsuspecting Skype users full of malicious code.

The kind of fix envisioned by Raff, however, would also eliminate the Petkov problem, since the latter relies on the same Internet Explorer Web control and poor security practices that made possible the video-based exploits.