Skype's dangerous exploit: What you need to know
- — 08 May, 2011 02:18
Security researchers revealed a dangerous exploit in Skype for Mac which can be exploited to create a worm that can take control of Mac PCs. This FAQ will help you understand the potential impact of the threat, and what you can do to protect your system.
What is the vulnerability? PureHacking, an Australian security research firm published a blog post describing a vulnerability and proof of concept exploit affecting Skype for Mac.
What is the potential risk? The researchers at PureHacking and the developers at Skype seem to disagree on the scope of the threat. PureHacking claims to have developed a proof-of-concept exploit that allows the attacker to take complete control of the vulnerable Mac system, and states that the flaw is easily wormable and extremely dangerous.
Skype's seems to believe the threat is much more limited. Skype explains that a message from a malicious contact could cause the Skype for Mac software to crash, and stresses that default privacy settings in Skype restrict the impact because you can only received messages from your authorized list of contacts.
There is a pretty big difference between "limited threat that crashes the Skype client" and "dangerous worm that pwns Mac PCs". PureHacking may lean toward "sky is falling" for the sensationalism, while Skype has a motive for erring on the side of "no big deal". Lets assume the truth is somewhere in the middle.
Is my version of Skype affected? According to the Skype blog post, only Skype for Mac 5.x is affected. Earlier versions are not vulnerable to this exploit.
What about Skype on Windows or Linux? The flaw only exists in the Skype for Mac client. PureHacking investigated the issue on Skype for Windows, and Skype for Linux and found that the exploit does not work on those platforms.
Is this related to the Skype for Android app issue? No. The issue with the Skype for Android app was a configuration error by Skype that left a database containing sensitive data open and unencrypted. This vulnerability is a flaw that enables a specially-crafted Skype message to execute malicious code on the target Mac OS X system.
Should I be concerned? The risk of exploit is virtually nil for Mac OS X. Despite assertions by Apple loyalists that Mac OS X is simply more secure by default and virtually impervious to attack, the annual Pwn20wn contest, and the proof-of-concept exploit developed by PureHacking for this threat demonstrate otherwise. That said, Mac OS X is still a drop in the bucket for PC market share and malware developers have their attention focused on the big pool, so there is little risk of this being exploited in the wild any time soon.
Is there a fix? Skype claims to have been aware of the issue even before PureHacking brought it to its attention, and has already developed a hotfix which has been available since April 14. Skype has not pushed the hotfix, though, because it is not aware of this flaw being exploited in the wild. Next week, Skype will push an updated version of Skype for Mac 5.x which resolves the problem, and includes a variety of other tweaks and fixes as well.
What should I do? If you are really concerned, get the hotfix from Skype and apply it now. If you prefer, though, you can probably just wait until next week when Skype unleashes the updated version.