Skype Patches Wormable Flaw in Mac Client

Skype has patched a security hole in its Skype 5 client for Mac that would have allowed malware developers to build a self-replicating worm targeting the Mac OS X platform.

Skype fixed a vulnerability that potentially allowed malicious individuals on a user’s contact list to remotely take control of their Macs, the company said in a blog post May 6. The patched software, version 5.1.0.935, became available to users May 9, but it requires a manual update.

Attackers interested in exploiting the vulnerability would have to send a maliciously crafted message to someone on the attacker’s Skype Contact List, Adrian Asher, Skype’s chief information security officer, wrote on the official Skype blog. The issue was limited to only Mac users and does not affect Windows or Linux users, Asher said.

“A new version of Skype 5 closes the vulnerability, and Skype 2.8 (with its simpler, superior interface) was unaffected all along,” wrote John Gruber, on the Daring Fireball blog. There are also reports that it does not affect Apple’s iOS.

Details of the flaw haven’t been made public, but it is “serious,” according to Gordon Maddern, the Australian security researcher who reported the issue to Skype. He discovered the flaw purely by accident when he was chatting on Skype with a colleague about a payload from a client. He inadvertently executed the payload on the colleague’s Skype client, according to a post on the Pure Hacking blog.

Asher claimed Skype had already been aware of the issue and had already been working on the fix when Maddern contacted the company’s security team.

Maddern put together a proof-of-concept using testing software Metasploit and Meterpreter as a payload and found he was able to gain shell access on the compromised system remotely. His victim for the test wasn’t “too happy,” as it left Skype “unusable” for several days, Maddern said.

"The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim’s Mac," Maddern wrote. The flaw is "extremely wormable," according to Maddern.

Pure Hacking won’t give specifics on how to perform the attack until the patch is available to users, according to Maddern. “We won’t be releasing any info till the majority of users are safe,” Maddern said.

The updated Skype for Mac software requires a manual update. The company had actually addressed the bug via a “hotfix” that was released April 14. It hadn’t been automatically pushed to users before because “there were no reports of this vulnerability being exploited n the wild,” Asher said.

The update also fixed some minor bugs and resolved the video freezing in high-packet-loss networks, Skype said.

Last month, Skype patched the vulnerability within its Android application, which would have allowed a malicious third-party application to access user information, including phone numbers. Skype for Android was storing names, dates of birth, location information, account balances, phone numbers, email addresses and other biographic details in a non-encrypted and easily accessible file on the device. The company fixed the issue in version 1.0.0.983 on April 20.