The zero-day security vulnerability was discovered by Australian IT security firm, Pure Hacking. Gordon Maddern, who found the exploit, posted today that he notified Skype of the issue a month ago and was given a standard, canned reply from them. They still have not created a patch.
Maddern:
The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.
Pure Hacking:
[We] won’t give specifics on how to perform this attack until a patch from Skype is released. However we will give a full disclosure after Skype takes action or a reasonable responsible disclosure time.
Skype is fiddling while Rome is burning:
Dan York from Disruptive Telephony justifiably complained that Skype has not made any information public other than a statement given to ZDNet UK. He says they have made no attempt to notify users via their corporate blog, twitter feed, or any other method. York recommends changing Skype’s privacy settings to only allow messages from contacts. Although, he warns that this is merely a precautionary measure since it is unknown exactly how the attack works. See below for details.
Skype 5.x settings:
Skype 2.8 settings:
Better yet, switch off Skype and use the phone until a patch is released.
UPDATE
Skype has address the security vulnerability. (Thanks Chaim)
via Pure Hacking, The Register and Disruptive Telephony