Skype has been forced to turn off a video-sharing feature because of security fears. The company has acted to prevent attackers exploiting a software flaw to launch a self-copying worm attack against other Skype users.
The software bug, first reported last week by security researcher Aviv Raff, stems from the way Skype uses an Internet Explorer component to render HTML. Skype's video-sharing feature allows users to share videos hosted on two sites - Dailymotion.com and Metacafe.com - while chatting with other Skype users.
Last week Raff showed how attackers could exploit the bug to run unauthorised software on a Skype user's PC. But yesterday, the security researcher said the flaw was more serious than he had first thought. It can "be triggered by simply visiting a website, or clicking on a link from your instant messaging application," he wrote in a blog posting, "Which basically means that this vulnerability is now wormable."
Skype has now pulled the video feature from its client software. Users who attempted to click on the "videos" button within a chat window were greeted with a message that the feature was unavailable "because of some security concerns. Our brightest engineers are rattling their wrenches to make things all right and bring the beloved videos back. Soon," the message read. "Sorry about this."
Skype representatives did not return calls seeking comment. Last week, Skype spokesman Villu Arak confirmed that there was a security problem for Skype 3.5 and 3.6 users who visited the Dailymotion.com site, but users were still able to share videos using Metacafe.com.
For Raff's attack to work, an attacker would have to post a maliciously encoded video file to either of the Metacafe or Dailymotion sites. Metacafe said Tuesday that it's "highly unlikely" that this kind of malicious video would make it through the site's content-filtering process.
In a statement, the company said it expects Metacafe videos to be available to Skype users as early as Wednesday morning.
Raff said that because the attack could lead to a widespread worm outbreak, it would be better for Skype to fix the underlying problem before bringing Metacafe back online. He said that Dailymotion was probably susceptible to this type of attack as well, although he was unable to confirm this after Skype cut off access to the website.
The problem lies in the fact that Skype uses a Windows Internet Explorer (IE) component with inappropriate security settings, researchers say. Instead of processing pages it renders with the more secure "Internet Zone" security setting, Skype uses IE's "Local Zone" security setting, usually reserved for more trustworthy content.
Until Skype engineers make some changes to their software, more of these problems will continue to pop up, Raff said.