Gordon Maddern, a security researcher in Australia, has reported a serious hole in the current Mac version of Skype that could be exploited by an attacker to remotely take control of the computer. Skype has since responded saying they had already issued a “hotfix” for the vulnerability but will release a formal update to address it next week, over a month after Maddern reported it to the company. Maddern is not releasing details of the “extremely dangerous” problem until Skype has fixed it, he said.
Skype has claimed that at the time Maddern contacted them about the issue, it was already aware of it and working on a fix, noting that by default only someone already in a user’s contact list could send them the kind of maliciously-crafted payload that would allow remote access, making it unlikely to happen to most users. Maddern says he discovered the problem when he sent a colleague a (deliberately) malicious file and it executed on the colleague’s machine.
No reports of attacks of this nature have been reported outside of Maddern’s, who posted about the discovery and subsequent progress on his blog.
Maddern created a full proof-of-concept attack, and calls it “extremely wormable,” meaning the vulnerability could be used by others to craft other sorts of attacks on Macs — the attacker only needs to send the victim a message, and they can gain remote control of the victim’s Mac, he says. The vulnerability was not found in the Windows and Linux versions of Skype. Maddern has not said if the vulnerability exists on the more-popular previous version (v2.8) of the Skype client for Mac.
Although Skype has already issued a “hotfix” (meaning no user intervention was required), until the formal update is released users of the current Mac version of Skype should be cautious of any messages from untrusted sources.