Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Vulnerability Discovered in Skype for Mac, Latest Update Includes Patch

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,670
39,577



230746-skype_logo.jpg


Earlier today, security researcher Gordon Maddern of Pure Hacking reported on a security vulnerability he accidentally discovered in Skype's software for Mac OS X, a vulnerability that he said he disclosed to the company a month ago and had yet to be patched.
I notified them on the security vulnerabilitity and I was given the standard:

"Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix"

That was over a month ago and there still has not been a fix released. The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.
Click to expand...
Skype quickly responded on its security blog, noting that the company was already aware of the issue by the time Maddern reported it and had in fact issued a fix for it as part of a minor update to Skype for Mac released on April 14th. But because exploits for the vulnerability had not been reported in the wild, the company opted not to prompt existing users to apply the update.

Skype says that another update for the company's Mac software is set to launch early next week, and users will be prompted to update at that time. But in the meantime, Skype does recommend that users aware of the issue simply manually check for updates to get the current patched version.
This new update will include some additional updates and bug fixes. When it is released, we will notify all Skype for Mac users of the need to update their software (the client will prompt the user to update). In the meantime, we recommend you update your software with the fix made available on April 14th, just click on Skype -> Check for Updates or you can download the software here.
Click to expand...
The vulnerability affects only the Mac OS X version of Skype, and thus clients for other platforms such as Windows and Linux will not require an update.

Article Link: Security Vulnerability Discovered in Skype for Mac, Latest Update Includes Patch
 
Article Link
https://www.macrumors.com/2011/05/06/security-vulnerability-discovered-in-skype-for-mac-latest-update-includes-patch/
skype is disgusting!

I heard they record conversations with out users knowing, as well as locations and access other info, whats really disgusting is the fact that everyone is collecting information becuase they can use it against innocent people!
 
Quick Question

If you're still on the Skype 5 beta, do you get group video calling free?
 
Why would anyone ever install Skype 5 over 2.8? :eek:

I do wish they'd fix their stupid hideous software :(
 
Absolutely unacceptable. Skype has no idea what the hell they are doing.

Really? ONE MESSAGE is all it would take to take control of OS X? And they decided not to fix it quickly because there were no reports of the exploit in the wild?

They are the stupidest, most useless developers. I hope they get bought out and either shut down or dramatically improved. And fire all of the current programmers/designers.

"What? People loosing their job? You're so cruel"

No. They can't do their jobs so why should they keep it? Allowing all of their OS X users to be wide open to a massive security hole like that... ugh. Not to mention the massive cluster of fail that is Skype 5.

Letting something that severe fester is the most lazy crooked thing ever. Besides the fact to even not notice it in the first place... and not be intelligent enough not to write the code in a way that would allow it.
 
Last edited:
Ptit said:
skype is disgusting!

I heard they record conversations with out users knowing, as well as locations and access other info, whats really disgusting is the fact that everyone is collecting information becuase they can use it against innocent people!
Click to expand...

Put your tinfoil hat away, there's no proof or motive of this. Besides, Skype is Peer to Peer, which means recording a conversation is next to impossible, because it doesn't go through a central server. If Skype clients were uploading recordings, people would notice.
 
Aniday said:
Absolutely unacceptable. Skype has no idea what the hell they are doing.

Really? ONE MESSAGE is all it would take to take control of OS X? And they decided not to fix it quickly because there were no reports of the exploit in the wild?

They are the stupidest, most useless developers. I hope they get bought out and either shut down or dramatically improved. And fire all of the current programmers/designers.

"What? People loosing their job? You're so cruel"

No. They can't do their jobs so why should they keep it? Allowing all of their OS X users to be wide open to a massive security hole like that... ugh. Not to mention the massive cluster of fail that is Skype 5.

Letting something that severe fester is the most lazy crooked thing ever. Besides the fact to even not notice it in the first place... and not be intelligent enough not to write the code in a way that would allow it.
Click to expand...


If they're so useless and incompentent, why don't you write a cross-platform Peer to Peer VoIP application?
 
Wirelessly posted (Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16)

This should be Page 1.
 
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8G4 Safari/6533.18.5)

We couldn't get v5 to recognise our iSight camera which would seem to me an even bigger problem. Video calls without er... Video :(
 
so does anyone know if the vulnerability is in 2.8 or only in 5?

also -- apple has a role here: "control of victim's mac" shouldn't be possible without at least a password prompt


A possible workaround I suppose would be: allow chats from - only people in my contact list
 
jdavtz said:
also -- apple has a role here: "control of victim's mac" shouldn't be possible without at least a password prompt
Click to expand...

I can't remember, does Skype require a password to be installed? If so, that might be where it gets access from...

Even if it doesn't, I'm pretty sure Mac OS warns you before you launch a program downloaded from the Internet for the first time... Basically says, "hey, it's not our fault if you just downloaded a virus."
 
jrtc27 said:
Wirelessly posted (Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16)

This should be Page 1.
Click to expand...

Yeah seriously. But then again Page 1 is usually saved for those important Apple Market Share vs Android reports :D

-Kevin
 
I stopped using Skype after version 5 was released. Moved onto AIM. Most of my contacts have followed suit.
 
Skype - deterioration?

I used to use Skype and Skype out all the time. Is is just me that is suffering from poor quality connections. I have given up trying to use video now as the connection is just too poor. I have no issues with iChat and similar so it is neither my equipment or line speed. Even with video switched out, voice quality is often dreadful.

Their auto update is not working at present. You go through the update routine and you get the message "cannot instal - expected version 5.xxxx and got 5.yyyy". I know you can go to the website and download which I have been doing but not so very long ago for a whole week, the Mac download button downloaded an .exe file - wonderful!

I get the impression that Skype no longer cares about the sort of service they give to customers. They no longer reply to email queries on service quality, which they used to within 24 hours, with a sensible reply. If they carry on in this vein, they will soon lose their customer base.

One final beef. There are no decent Mac compatible handsets. I have been though 3 iPevo Ones and one US Robotics. They have lasted about a year each and then failed. Any suggestions for a good quality USB or Firewire handset with dialling buttons and Skype control buttons that work consistently and for more than 12 months.
 
Argh!

Is the 2.8.0.866 version affected or only the PlaySchool 5.x version?

I don't want to update to the PlaySchool version :(

Now that I think of it... if I block messages from people I don't have in my list, problem solved, right? (Actually I already had them blocked)

So no need to update to the PlaySchool version :cool:
 
ArtOfWarfare said:
I can't remember, does Skype require a password to be installed?
Click to expand...

Password to install Skype in this case doesn't matter as it runs with user privileges.

The exploit only grants user level access which does not allow the install of rootkits, such as keyloggers that can log passwords protected by user space security mechanisms.

This is worse than most client side exploits in that it is in a messaging/chat app which provides an easier vector to spread unbeknownst to the user.

I do find it unlikely that this exploit was found by accident given that exploits are usually highly tailored to a specific combination of app and OS.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back