Security Hole in Skype for OS X Could Give Attackers Remote Access to Your Mac

A major security hole has been discovered in Skype for OS X that could give an attacker remote access to your Mac by sending an instant message.

The zero-day security vulnerability was discovered by Australian IT security firm, Pure Hacking. Gordon Maddern, who found the exploit, posted today that he notified Skype of the issue a month ago and was given a standard, canned reply from them. They still have not created a patch.

Maddern:

The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.

Pure Hacking:

[We] won’t give specifics on how to perform this attack until a patch from Skype is released. However we will give a full disclosure after Skype takes action or a reasonable responsible disclosure time.

Skype is fiddling while Rome is burning:

Dan York from Disruptive Telephony justifiably complained that Skype has not made any information public other than a statement given to ZDNet UK. He says they have made no attempt to notify users via their corporate blog, twitter feed, or any other method. York recommends changing Skype’s privacy settings to only allow messages from contacts. Although, he warns that this is merely a precautionary measure since it is unknown exactly how the attack works. See below for details.

Skype 5.x settings:

Skype 2.8 settings:

Better yet, switch off Skype and use the phone until a patch is released.

UPDATE
Skype has address the security vulnerability. (Thanks Chaim)

via Pure Hacking, The Register and Disruptive Telephony

James Britton

James first bit into Apple when his mom and dad bought an Apple IIe in 1986. He switched to Wintel in the mid 90s when Apple was in a tailspin and back again to an iBook in 2005 when things were looking brighter. Hopefully there is no turning back to the dark side now.