SKYPE-SB/2008-002: Skypefind Cross Zone Scripting Vulnerability

Bulletin title:	Skypefind Cross Zone Scripting Vulnerability
Bulletin ID:	SKYPE-SB/2008-002
Bulletin status:	FINAL
Date of announcement:	2008-01-31 11:00:00 +0000
Products affected:	Skype for Windows
Vulnerability type:	Cross Zone Scripting
CVE references:
Risk assessment:	MEDIUM
CVSS base score:	7.8 (AV:N/AC:M/Au:Mu/C:C/I:C/A:C)
Cross-references:	http://www.skype.com/intl/en/security/skype-sb-2008-001-update1.html http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx

1. Problem description and brief discussion

Description

Skype uses Internet Explorer web control to render HTML content for different webapplications, including SkypeFind.

A vulnerability has been found in the Skypefind which allows attacker to execute arbitrary code when victim is navigating to the SkypeFind directory item (business contact) which submitted in special way.

There is one important precondition for the exploit to work: victim must receive Skype contact request authorization from the attacker's Skype account.

This vulnerability is exploitable because of security zone elevation vulnerability in skype client (see Skype Security Bulletin SKYPE-SB/2008-001 and links in Cross References section above) which allows scripts to be run in Local Zone security context in IE web control used to render SkypeFind content.

2. Impact and affected software

Impact

A user of Skype for Windows who either a) navigates directly to the SkypeFind specially submitted business contact or b) when searching for business contacts is presented with result page which includes specially submitted business contact may experience execution of arbitrary code without consent.

Affected software

3. Solution or work-around

Skype has fixed the vulnerability in Skypefind

4. Special instructions and notes

None.

5. Software download location

The preferred method for installing security updates is to download the software directly from Skype's website, from the website of Skype's authorized partners, or from a reliable mirror site. Skype may also be safely downloaded from other locations, but in this case it is particularly important that you verify the authenticity of the download.

We recommend that once you download any Skype software that you verify its integrity by the methods listed in Section 6 of this Bulletin.

x86 platform, Microsoft Windows 2000 or Microsoft Windows XP: http://www.skype.com/download/skype/windows/

x86 platform, Linux: http://www.skype.com/download/skype/linux/

PPC and x86 platforms, Mac OS X v10.3.9 or later: http://www.skype.com/download/skype/macosx/

Pocket PC platform, Microsoft Windows Mobile 2003: http://www.skype.com/download/skype/pocketpc/

6. Authenticity verification

- Bulletin authenticity verification:

Skype security bulletins are published on Skype's web site and via mailing lists. The authenticity and integrity of a Skype security bulletins may be determined by inspecting the crypto- graphic signature that is attached to each bulletin. All Skype security bulletins are published with a valid digital signature produced by PGP.

- Software authenticity verification:

Both the Skype installer program and the Skype program that is installed by the installer are digitally signed.

For Skype software built for Microsoft Windows and Mac OSX operating environments, the digital certificate used by Skype to sign software packages is signed by "VeriSign Class 3 Code Signing 2004 CA".

For Skype software built for Linux platforms, all packages are signed by PGP key ID 0xD66B746E, the public component of which may be downloaded from http://www.skype.com/download/skype/linux/.

- For general information about Skype security, please visit the Skype Security Resource Center at http://www.skype.com/security/.

7. Common Vulnerability Assessment System (CVSS) assessment

Skype has rated the issue covered by this Security Bulletin under the CVSS scheme as follows:

Base metrics as of 2008-01-31:

Access Vector (AV) ........... Network
Access Complexity (AC) ....... Medium
Authentication (Au) .....,.... Multiple
Confidentiality Impact (C) ... Complete
Integrity Impact (I) ......... Complete
Availability Impact (A) ...... Complete

Computed CVSS base score: 7.8

Temporal metrics as of 2008-01-31

Exploitability (E) ........... proof-of-concept
Remediation Level (RL) ....... official-fix
Report Confidence (RC) ....... confirmed

Computed CVSS temporal score: 6.1

Skype participates in the CVSS by rating each identifiable security vulnerability against the CVSS base metrics. In addition, Skype may rate each vulnerability against temporal metrics from time to time. As suggested by the name, temporal metrics for a particular vulnerability may change from time to time.

More information about the CVSS may be obtained from the CVSS host website at http://www.first.org/cvss/.

8. Credits and additional information

Skype would like to thank Aviv Raff for having referred this problem to Skype in timely manner.

9. Bulletin release history

2008-01-31 Initial bulletin release

10. Notices

This Skype Security Bulletin may be reproduced and distributed, provided that the Bulletin is not modified in any way and is attributed to Skype Technologies, S.A. and provided that repro- duction and distribution is performed for non-commercial purposes.

This Skype Security Bulltin is provided to you on an "AS IS" basis and may contain information provided by third parties. Skype makes no guarantees or warranties as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.

To report a security issue to Skype, please send an e-mail that describes the problem or vulnerability to security@skype.com. Please consider securing any reports that disclose security vulnerabilities by encrypting them using the current PGP key of the Skype Computer Emergency Response Team (SKY-CERT), PGP key ID 0xAD2DF320.