Skype has been forced to turn-off a video-sharing feature in its software because the feature could be misused to launch a self-copying worm against Skype users, security researchers announced on Tuesday.
A bug in the software was reported by Aviv Raff, and stems from that it uses Internet Explorer to render HTML. The video-sharing feature allows users to share videos hosted with Metacafe.com and Dailymotion.com, while chatting with other users.
Raff show how attackers could exploit the bug last week, but said on Tuesday that it was worst then he first thought. The worm can “be triggered by simply visiting a Web site, or clicking on a link from your instant messaging application,” Raff wrote in a blog post, “Which basically means that this vulnerability is now wormable.”
Skype has currently pulled the feature from its client software as a result of a bug. Users who attempted to click on the “videos” button within a chat window were greeted with a message that it was unavailable due to “some security concerns.”
In a statement, Metacafe videos are expected to be back up to Skype users as early as Wednesday morning. The problem is that Skype uses a component of Internet Explorer with inappropriate security settings. It renders pages using IE’s “Local Zone” not “Internet Zone”.
Raff has said that until Skype makes some changes into their software, more of these problems will continue to pop up.