A programming error in eBay's Skype communications software could give cybercriminals a new way to sneak their malicious software onto a victim's PC. The flaw, which was reported Thursday by security researcher Aviv Raff, has to do with the way that Skype makes use of a Windows Internet Explorer component to render HTML. Because Skype does not apply strict security controls to the software, an attacker could run scripting code on the victim's system in a dangerous fashion and ultimately install malicious software.
The problem is that Skype runs the IE component with the less locked-down "Local Zone" security setting. Because of this attackers are able to do "all sorts of things... [such as] reading/writing files from the local disc and launching executables," wrote security researcher Petko Petkov, in a Thursday blog post about the issue. For an attack to work, the bad guys would first need to find a trustworthy Web site that contained a common programming flaw called a cross-zone scripting error. This bug would give them a way to trick Skype into running their malicious script as if it came from a trusted Web site.