The security hole that would have allowed attackers to create a worm targeting Skype users on the Mac has been patched, Skype said.
Skype has patched a security
hole in its Skype 5 client for Mac that would have allowed malware developers
to build a self-replicating worm targeting the Mac OS X platform.
Skype fixed a vulnerability
that potentially allowed malicious individuals on a user's contact list to
remotely take control of their Macs, the company said in a blog post May 6. The
patched software, version 18.104.22.1685, became available to users May 9, but it
requires a manual update.
Attackers interested in
exploiting the vulnerability would have to send a maliciously crafted message
to someone on the attacker's Skype Contact List, Adrian
, Skype's chief information security officer, wrote on the official
Skype blog. The issue was limited to only Mac users and does not affect Windows
or Linux users, Asher said.
"A new version of Skype 5
closes the vulnerability, and Skype 2.8 (with its simpler, superior interface)
was unaffected all along," wrote John Gruber, on the Daring
. There are also reports that it does not affect Apple's iOS.
Details of the flaw haven't
been made public, but it is "serious," according to Gordon Maddern, the
Australian security researcher who reported the issue to Skype. He discovered
the flaw purely by accident when he was chatting on Skype with a colleague
about a payload from a client. He inadvertently executed the payload on the
colleague's Skype client, according to a post on the Pure
Asher claimed Skype had
already been aware of the issue and had already been working on the fix when
Maddern contacted the company's security team.
Maddern put together a
proof-of-concept using testing software Metasploit and Meterpreter as a payload
and found he was able to gain shell access on the compromised system remotely.
His victim for the test wasn't "too happy," as it left Skype "unusable" for
several days, Maddern said.
"The long and the short
of it is that an attacker needs only to send a victim a message and they can
gain remote control of the victim's Mac," Maddern wrote. The flaw is
"extremely wormable," according to Maddern.
Pure Hacking won't give
specifics on how to perform the attack until the patch is available to users,
according to Maddern. "We won't be releasing any info till the majority of
users are safe," Maddern said.
The updated Skype for Mac
software requires a manual update. The company had actually addressed the bug
via a "hotfix" that was released April 14. It hadn't been automatically pushed
to users before because "there were no reports of this vulnerability being
exploited n the wild," Asher said.
The update also fixed some
minor bugs and resolved the video freezing in high-packet-loss networks, Skype
Last month, Skype patched
the vulnerability within its Android application, which would have allowed a
malicious third-party application to access user information, including phone
Skype for Android
was storing names, dates of birth, location information,
account balances, phone numbers, email addresses and other biographic details
in a non-encrypted and easily accessible file on the device. The company fixed
the issue in version 22.214.171.1243 on April 20.