Security Advisory
  • Skype "skype-plugin:" URI Handling XML File Deletion Vulnerability Reported Date: 10-04-10
Rated Level: Low
Impact: Manipulation,Remotely Exploitable
Affected Software: Skype 4.x
Description: A vulnerability has been discovered in Skype, which can be exploited by malicious people to delete certain data on a user's system.

The vulnerability is caused due to an error within the Skype Extras Manager (skypePM.exe) in the handling of "skype-plugin:" URIs. This can be exploited to delete an arbitrary ".xml" file e.g. if a user visits a specially crafted web page.

The vulnerability is confirmed in skypePM.exe version included in Skype for Windows version Other versions may also be affected.

Note: ZDI credits rgod
Solution: Disable the "skype-plugin:" protocol handler.
Feedback: If you have additional information or corrections for this security advisory please contact us at advisory(at)

Security Advisories by Month (2014)
TS Promotion