Security Advisory
  • Skype "skype-plugin:" URI Handling XML File Deletion Vulnerability Reported Date: 10-04-10
Rated Level: Low
Impact: Manipulation,Remotely Exploitable
Affected Software: Skype 4.x
Description: A vulnerability has been discovered in Skype, which can be exploited by malicious people to delete certain data on a user's system.

The vulnerability is caused due to an error within the Skype Extras Manager (skypePM.exe) in the handling of "skype-plugin:" URIs. This can be exploited to delete an arbitrary ".xml" file e.g. if a user visits a specially crafted web page.

The vulnerability is confirmed in skypePM.exe version 2.0.0.67 included in Skype for Windows version 4.2.0.155. Other versions may also be affected.


Note: ZDI credits rgod
http://www.zerodayinitiative.com/
Solution: Disable the "skype-plugin:" protocol handler.
Feedback: If you have additional information or corrections for this security advisory please contact us at advisory(at)triviasecurity.org

Security Advisories by Month (2014)
TS Promotion