Expert: Skype for Mac hole can be used in remote attack
Skype says it had already known about the hole when a security researcher called the problem to its attention.
A security researcher said today that he found a serious hole in the Mac version of Skype that could be used by an attacker to remotely take control of someone else's computer.
In response, Skype says it released a "hotfix"--a quick fix to hold users over until a full update is ready--for the issue in a minor update released in mid-April, but did not prompt users to update their software because there were no reports that the hole was being exploited in the wild and it was planning on issuing another update early next week.
Gordon Maddern, of Pure Hacking in Australia, says he discovered the vulnerability about a month ago. He was chatting on Skype to a colleague about a payload when the payload executed in the colleague's Skype client accidentally, Maddern writes in a blog post today.
He created a proof of concept that can be used in an attack but is not releasing details on it until Skype fixes the issue. He could not find the vulnerability in the Skype client for Windows and Linux, he said.
Maddern said he contacted Luxembourg-based Skype and received a note saying "Thank you for showing an interest in Skype security, we are aware of this issue and will be addressing it in the next hotfix."
"That was over a month ago and there still has not been a fix released," he wrote in his blog post. "The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim's Mac. It is extremely wormable and dangerous."
In a blog post, Adrian Asher of Skype explains that the vulnerability "is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype's default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact."
"At the time they (Pure Hacking) alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability, as we take our users' security very seriously," Asher wrote.
Updated 4:13 p.m. PT with Skype saying it previously issued a hotfix and will release an update that addresses the vulnerability next week.