Skype's dangerous exploit: What you need to know

Skype for Mac has a dangerous and wormable zero-day vulnerability

Security researchers revealed a dangerous exploit in Skype for Mac which can be exploited to create a worm that can take control of Mac PCs. This FAQ will help you understand the potential impact of the threat, and what you can do to protect your system.

What is the vulnerability? PureHacking, an Australian security research firm published a blog post describing a vulnerability and proof of concept exploit affecting Skype for Mac.

What is the potential risk? The researchers at PureHacking and the developers at Skype seem to disagree on the scope of the threat. PureHacking claims to have developed a proof-of-concept exploit that allows the attacker to take complete control of the vulnerable Mac system, and states that the flaw is easily wormable and extremely dangerous.

Skype's seems to believe the threat is much more limited. Skype explains that a message from a malicious contact could cause the Skype for Mac software to crash, and stresses that default privacy settings in Skype restrict the impact because you can only received messages from your authorized list of contacts.

There is a pretty big difference between "limited threat that crashes the Skype client" and "dangerous worm that pwns Mac PCs". PureHacking may lean toward "sky is falling" for the sensationalism, while Skype has a motive for erring on the side of "no big deal". Lets assume the truth is somewhere in the middle.

Is my version of Skype affected? According to the Skype blog post, only Skype for Mac 5.x is affected. Earlier versions are not vulnerable to this exploit.

What about Skype on Windows or Linux? The flaw only exists in the Skype for Mac client. PureHacking investigated the issue on Skype for Windows, and Skype for Linux and found that the exploit does not work on those platforms.

Is this related to the Skype for Android app issue? No. The issue with the Skype for Android app was a configuration error by Skype that left a database containing sensitive data open and unencrypted. This vulnerability is a flaw that enables a specially-crafted Skype message to execute malicious code on the target Mac OS X system.

Should I be concerned? The risk of exploit is virtually nil for Mac OS X. Despite assertions by Apple loyalists that Mac OS X is simply more secure by default and virtually impervious to attack, the annual Pwn20wn contest, and the proof-of-concept exploit developed by PureHacking for this threat demonstrate otherwise. That said, Mac OS X is still a drop in the bucket for PC market share and malware developers have their attention focused on the big pool, so there is little risk of this being exploited in the wild any time soon.

Is there a fix? Skype claims to have been aware of the issue even before PureHacking brought it to its attention, and has already developed a hotfix which has been available since April 14. Skype has not pushed the hotfix, though, because it is not aware of this flaw being exploited in the wild. Next week, Skype will push an updated version of Skype for Mac 5.x which resolves the problem, and includes a variety of other tweaks and fixes as well.

What should I do? If you are really concerned, get the hotfix from Skype and apply it now. If you prefer, though, you can probably just wait until next week when Skype unleashes the updated version.

Tags wormsMac OSskypesecuritysoftwareoperating systemsmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?