Pure Hacking's Gordon Maddern, a tech security writer, has uncovered a zero-day vulnerability affecting Mac users of the popular chat platform Skype. He writes: "About a month ago I was chatting on Skype to a colleague about a payload for one of our clients. Completely by accident, my payload executed in my colleagues Skype client."
Further tests showed that the payload was only executing in Skype clients on Macs. Windows and Linux appeared to be safe. After using metasploit and meterpreter to produce a proof of concept, Maddern was able to gain a shell remotely using the Skype exploit.
Perhaps alarmingly, this information was brought to the attention of Skype's security team over a month ago, with the only response being a generic "Thank you, we'll get to that soon".
"The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac," Maddern writes. "It is extremely wormable and dangerous."
This bug was finally updated in a manually installable patch today.
If you're a heavy Skype user on your Mac, download the manual update to patch the bug. A full version update, as noted, should be available in the next week or so.
Apple - USE TAG
reading•Skype for Mac requires manual update to fix security vulnerability
Jan 22•Qualcomm didn't have enough power to hurt chip competition, expert testifies
Jan 22•Samsung 15.6-inch OLED laptop screens enter production in mid-February
Jan 22•Get your iPhone photo on an Apple billboard with #ShotOniPhone contest
Jan 22•13 tips and tricks for Apple's AirPods