Australian security consultant Gordon Maddern has discovered a bug in Skype for Mac that could potentially give attackers complete access to OS X, reports The Register. All an attacker would have to do is send a message with an attachment in a Skype chat session to gain control of the victim’s Mac. Update below.
The bug is apparently present in the most current version of Skype for Mac and was discovered accidentally while Maddern was chatting with a colleague.
“About a month ago I was chatting on Skype to a colleague about a payload for one of our clients,” he told The Register. “Completely by accident, my payload executed in my colleagues Skype client. So I decided to test another mac and sent the payload to my girlfriend. She wasn’t too happy with me as it also left her Skype unusable for several days.
He then wrote a proof-of-concept attack that allowed him to remotely gain shell access on a targeted Mac. Because the payload is sent in an instant message, it’s possible that the affected Mac could then be used to infect a host of other Macs, allowing the attack to grow exponentially.
He originally posted about the hack on his blog Pure Hacking and says that he has notified Skype about the issue. He says that they responded with the basic thank you response and that it is “aware of this issue and will be addressing it in the next hotfix.”
Maddern then goes on to say that a month had gone by at the time of his posting and there had yet to be a fix released for the bug. It’s also unclear if any interaction from the user affected would be required to activate the attack.
We have contacted Skype to see if they are indeed aware of the bug and will update this post if they get back to us.
Update: Skype has posted an article on their blog stating that the vulnerability had been addressed in a patch on April 14th. It says that it was already aware of the issue when it was contacted by Pure Hacking.
At the time they alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability, as we take our users’ security very seriously. We subsequently released a hotfix for this problem in a minor update (Skype for Mac version 126.96.36.1992) on April 14th.
Because they felt that the issue had not been exploited this update was not an ‘alert’ update that would push a notice to Skype users to apply it. This means that many out there using Skype for Mac are still susceptible to this bug. To fix the vulnerability, just click on Skype and Check for Updates. The hotfix will show up as available.
Skype says that the next update will also contain the fix and will issue a prompt to users to encourage them to apply the patch.