MacRumors

macrumors bot
Original poster
Apr 12, 2001
53,518
15,249



230746-skype_logo.jpg


Earlier today, security researcher Gordon Maddern of Pure Hacking reported on a security vulnerability he accidentally discovered in Skype's software for Mac OS X, a vulnerability that he said he disclosed to the company a month ago and had yet to be patched.
I notified them on the security vulnerabilitity and I was given the standard:

"Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix"

That was over a month ago and there still has not been a fix released. The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.
Skype quickly responded on its security blog, noting that the company was already aware of the issue by the time Maddern reported it and had in fact issued a fix for it as part of a minor update to Skype for Mac released on April 14th. But because exploits for the vulnerability had not been reported in the wild, the company opted not to prompt existing users to apply the update.

Skype says that another update for the company's Mac software is set to launch early next week, and users will be prompted to update at that time. But in the meantime, Skype does recommend that users aware of the issue simply manually check for updates to get the current patched version.
This new update will include some additional updates and bug fixes. When it is released, we will notify all Skype for Mac users of the need to update their software (the client will prompt the user to update). In the meantime, we recommend you update your software with the fix made available on April 14th, just click on Skype -> Check for Updates or you can download the software here.
The vulnerability affects only the Mac OS X version of Skype, and thus clients for other platforms such as Windows and Linux will not require an update.

Article Link: Security Vulnerability Discovered in Skype for Mac, Latest Update Includes Patch
 

Ptit

macrumors regular
May 6, 2011
108
0
moon
skype is disgusting!

I heard they record conversations with out users knowing, as well as locations and access other info, whats really disgusting is the fact that everyone is collecting information becuase they can use it against innocent people!
 

matthew12

macrumors regular
Aug 27, 2009
111
227
Quick Question

If you're still on the Skype 5 beta, do you get group video calling free?
 

bmb012

macrumors 6502
Jul 25, 2006
414
0
Why would anyone ever install Skype 5 over 2.8? :eek:

I do wish they'd fix their stupid hideous software :(
 

Aniday

macrumors regular
Jan 27, 2009
145
3
Absolutely unacceptable. Skype has no idea what the hell they are doing.

Really? ONE MESSAGE is all it would take to take control of OS X? And they decided not to fix it quickly because there were no reports of the exploit in the wild?

They are the stupidest, most useless developers. I hope they get bought out and either shut down or dramatically improved. And fire all of the current programmers/designers.

"What? People loosing their job? You're so cruel"

No. They can't do their jobs so why should they keep it? Allowing all of their OS X users to be wide open to a massive security hole like that... ugh. Not to mention the massive cluster of fail that is Skype 5.

Letting something that severe fester is the most lazy crooked thing ever. Besides the fact to even not notice it in the first place... and not be intelligent enough not to write the code in a way that would allow it.
 
Last edited:

locust76

macrumors 6502a
Jan 23, 2009
678
75
skype is disgusting!

I heard they record conversations with out users knowing, as well as locations and access other info, whats really disgusting is the fact that everyone is collecting information becuase they can use it against innocent people!

Put your tinfoil hat away, there's no proof or motive of this. Besides, Skype is Peer to Peer, which means recording a conversation is next to impossible, because it doesn't go through a central server. If Skype clients were uploading recordings, people would notice.
 

locust76

macrumors 6502a
Jan 23, 2009
678
75
Absolutely unacceptable. Skype has no idea what the hell they are doing.

Really? ONE MESSAGE is all it would take to take control of OS X? And they decided not to fix it quickly because there were no reports of the exploit in the wild?

They are the stupidest, most useless developers. I hope they get bought out and either shut down or dramatically improved. And fire all of the current programmers/designers.

"What? People loosing their job? You're so cruel"

No. They can't do their jobs so why should they keep it? Allowing all of their OS X users to be wide open to a massive security hole like that... ugh. Not to mention the massive cluster of fail that is Skype 5.

Letting something that severe fester is the most lazy crooked thing ever. Besides the fact to even not notice it in the first place... and not be intelligent enough not to write the code in a way that would allow it.


If they're so useless and incompentent, why don't you write a cross-platform Peer to Peer VoIP application?
 

jrtc27

macrumors newbie
Apr 12, 2010
28
0
England
Wirelessly posted (Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16)

This should be Page 1.
 

orangerizzla

macrumors member
Jan 9, 2008
30
4
Hampton
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8G4 Safari/6533.18.5)

We couldn't get v5 to recognise our iSight camera which would seem to me an even bigger problem. Video calls without er... Video :(
 

jdavtz

macrumors 6502a
Aug 22, 2005
548
0
Kenya
so does anyone know if the vulnerability is in 2.8 or only in 5?

also -- apple has a role here: "control of victim's mac" shouldn't be possible without at least a password prompt


A possible workaround I suppose would be: allow chats from - only people in my contact list
 

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,229
5,285
also -- apple has a role here: "control of victim's mac" shouldn't be possible without at least a password prompt

I can't remember, does Skype require a password to be installed? If so, that might be where it gets access from...

Even if it doesn't, I'm pretty sure Mac OS warns you before you launch a program downloaded from the Internet for the first time... Basically says, "hey, it's not our fault if you just downloaded a virus."
 

netnothing

macrumors 68040
Mar 13, 2007
3,702
320
NH
Wirelessly posted (Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16)

This should be Page 1.

Yeah seriously. But then again Page 1 is usually saved for those important Apple Market Share vs Android reports :D

-Kevin
 

roadbloc

macrumors G3
Aug 24, 2009
8,784
213
UK
I stopped using Skype after version 5 was released. Moved onto AIM. Most of my contacts have followed suit.
 

wilsonlaidlaw

macrumors 6502
Oct 29, 2008
432
63
Skype - deterioration?

I used to use Skype and Skype out all the time. Is is just me that is suffering from poor quality connections. I have given up trying to use video now as the connection is just too poor. I have no issues with iChat and similar so it is neither my equipment or line speed. Even with video switched out, voice quality is often dreadful.

Their auto update is not working at present. You go through the update routine and you get the message "cannot instal - expected version 5.xxxx and got 5.yyyy". I know you can go to the website and download which I have been doing but not so very long ago for a whole week, the Mac download button downloaded an .exe file - wonderful!

I get the impression that Skype no longer cares about the sort of service they give to customers. They no longer reply to email queries on service quality, which they used to within 24 hours, with a sensible reply. If they carry on in this vein, they will soon lose their customer base.

One final beef. There are no decent Mac compatible handsets. I have been though 3 iPevo Ones and one US Robotics. They have lasted about a year each and then failed. Any suggestions for a good quality USB or Firewire handset with dialling buttons and Skype control buttons that work consistently and for more than 12 months.
 
Argh!

Is the 2.8.0.866 version affected or only the PlaySchool 5.x version?

I don't want to update to the PlaySchool version :(

Now that I think of it... if I block messages from people I don't have in my list, problem solved, right? (Actually I already had them blocked)

So no need to update to the PlaySchool version :cool:
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
I can't remember, does Skype require a password to be installed?

Password to install Skype in this case doesn't matter as it runs with user privileges.

The exploit only grants user level access which does not allow the install of rootkits, such as keyloggers that can log passwords protected by user space security mechanisms.

This is worse than most client side exploits in that it is in a messaging/chat app which provides an easier vector to spread unbeknownst to the user.

I do find it unlikely that this exploit was found by accident given that exploits are usually highly tailored to a specific combination of app and OS.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.