Skype vulnerable to code injection -researcher

A researcher has supposedly found a vulnerability in videoconferenceing software Skype that allows an attacker to potentially inject HTML and JavaScript code into the program. Berlin-based Levent Kayan said that the vulnerability may affect Skype for Microsoft's Windows XP, Vista and 7 operating systems. "It has not been verified though, if it’s possible to hijack cookies or to attack the underlying operating system. Attacker could give a try using extern .js files," he said in an August 17 advisory. Kayan said the vulnerability particularly affects Skype version 5.5.0.113. According to Kayan, Skype suffers from a "persistent code injection vulnerability due to a lack of input validation and output sanitization" of the following profile entries:

• home
• office
• mobile

Injections can supposedly be made to the fields on the Home Phone Number, Office Phone Number and Mobile Phone Number fields. A screenshot of the injection was posted on http://www.noptrix.net/tmp/skype_inject.png. But for now, Kayan indicated the threat level was "low." — TJD, GMA News