Security Vulnerability Discovered in Skype for Mac, Latest Update Includes Patch

[GGJstudios]

Basically says, "hey, it's not our fault if you just downloaded a virus."

... except there are no viruses in the wild that can run on Mac OS X, but your point is correct: Mac OS X warns you when you first launch an app you downloaded.

 

[munkery]

... except there are no viruses in the wild that can run on Mac OS X, but your point is correct: Mac OS X warns you when you first launch an app you downloaded.

Does that quarantine feature work for all apps installed via drag and drop that come from external sources, such as the browser, mail, or messenger client?

 

[GGJstudios]

Does that quarantine feature work for all apps installed via drag and drop that come from external sources, such as the browser, mail, or messenger client?

When I tried to launch the app received via email, I got:

​

I wasn't able to send the app via Skype, because Skype said:

​

I compressed the app and sent it via Skype, which allowed me to open the .zip file and then launch the app without any warning.

 

[munkery]

I wonder if a drag and drop app covertly delivered as a payload via exploitation of a client-side app would initiate a quarantine prompt before launching for the first time?

Maybe this is why malicious app bundles are not delivered via this vector?

I compressed the app and sent it via Skype, which allowed me to open the .zip file and then launch the app without any warning.

Sorry, missed this part. Somewhat answers my question. Still doesn't allow rootkit install.

 

[BlueRevolution]

skype is disgusting!

I heard they record conversations with out users knowing, as well as locations and access other info, whats really disgusting is the fact that everyone is collecting information becuase they can use it against innocent people!

Yes and no. They record IM conversations, but it is technically impossible for them to record VoIP as those connections are peer-to-peer.

http://news.bbc.co.uk/2/hi/7649761.stm

I have to say that despite the privacy concerns I do find Skype's server-side logs convenient as I variously connect from Windows, OS X, Linux, and iOS. It "just works".

To others, if you don't like the interface of Skype 5, I suggest using it with Adium instead. Of course, using Adium for the connection allows you to use OTR encryption as well, though the other party would also have to be using the Adium plugin.

 

[Floris]

Are the 2.8 users now forced to upgrade to this horrible version 5 of Skype, or did the security issue get introduced with version five?

Yikes, .. someone paid 1,7 billion dollars or something for Skype? When you look at version 5, you wonder who snorted the dollars up their nose and stopped caring about their customers ..

 

[diamond.g]

If you're still on the Skype 5 beta, do you get group video calling free?

No. (It prompted me to pay for use last time I tried) I am pretty sure that feature is regulated server-side, which is why they charge for it.

 

[blow45]

Are the 2.8 users now forced to upgrade to this horrible version 5 of Skype, or did the security issue get introduced with version five?

Yikes, .. someone paid 1,7 billion dollars or something for Skype? When you look at version 5, you wonder who snorted the dollars up their nose and stopped caring about their customers ..

Amen, one of the worse updates ever, completely inept and badly thought out, had me in awe at how bad it was for weeks...

 

[caspersoong]

Why is it vulnerable in Mac and not Windows? That is so against my perception.

 

[GGJstudios]

Why is it vulnerable in Mac and not Windows? That is so against my perception.

Because the flaw is not in the OS, but in the Mac version of the app. It's a Skype issue, not an OS issue.

 

[steadysignal]

great. with the rumor i heard on the local news broadcast this morning of M$ looking to acquire Skype...users can expect more of this crap...

 

[42streetsdown]

great. with the rumor i heard on the local news broadcast this morning of M$ looking to acquire Skype...users can expect more of this crap...

yeah maybe. or maybe not. microsoft has put out some alright stuff in the past couple years. At least in comparison with they're performance in the past. they may also be trying to implement this into the Xbox which has been quite successful. *shrug* who knows if the deal will even go through, $8.5 billion is a lot of money

 

[hajime]

Is iChat or FaceTime better? I think they require a MobileMe account to work.

 

[andys53]

Absolutely unacceptable. Skype has no idea what the hell they are doing.

Really? ONE MESSAGE is all it would take to take control of OS X? And they decided not to fix it quickly because there were no reports of the exploit in the wild?

They are the stupidest, most useless developers. I hope they get bought out and either shut down or dramatically improved. And fire all of the current programmers/designers.

"What? People loosing their job? You're so cruel"

No. They can't do their jobs so why should they keep it? Allowing all of their OS X users to be wide open to a massive security hole like that... ugh. Not to mention the massive cluster of fail that is Skype 5.

Letting something that severe fester is the most lazy crooked thing ever. Besides the fact to even not notice it in the first place... and not be intelligent enough not to write the code in a way that would allow it.

So then MS buys Skype, conspiracy?

 

[MrMac08]

MS buys Skype and immediately they're having problems.

Shocker!

Skype is a brilliant idea and I use it every single day of my life... I really hope MS doesn't screw it up like they do everything else.

I'm just glad I have anti-virus protection that runs automatically every few days

 

[silentnite]

That's not a problem for me. The minute I heard Skype was up for sale I dumped it. I'm using face time from here on out. Playing it safe.