Skype vulnerable to code injection -researcher
A researcher has supposedly found a vulnerability in videoconferenceing software Skype that allows an attacker to potentially inject HTML and JavaScript code into the program. Berlin-based Levent Kayan said that the vulnerability may affect Skype for Microsoft's Windows XP, Vista and 7 operating systems. "It has not been verified though, if itâs possible to hijack cookies or to attack the underlying operating system. Attacker could give a try using extern .js files," he said in an August 17 advisory. Kayan said the vulnerability particularly affects Skype version 5.5.0.113. According to Kayan, Skype suffers from a "persistent code injection vulnerability due to a lack of input validation and output sanitization" of the following profile entries:
- home
- office
- mobile