Skype for Mac–A Security Vulnerability Addressed

Skype LogoOver at Disruptive Telephony, Best Practices Chair of the VoIP Security Alliance, Dan York, summarizes recent reports on a security vulnerability in Skype for Mac.

Given that I basically live inside of Skype for Mac and use it extensively every day, this is obviously extremely concerning. Particularly because I do let anyone on Skype send me messages… and my Skype ID is easily found on my websites and many other locations (and since is rather obvious – “danyork”).

As a heavy user of Skype for Mac’s group chat feature, Dan questions why there has been no communications from Skype other than a response to ZDNet UK’s story where they say:

UPDATE (5:13pm): Skype has just sent ZDNet UK a statement promising a fix next week. The statement reads: “We are aware of this and will release a fix early next week to resolve the issue. We take our users privacy very seriously and are working quickly to protect Skype users from this vulnerability.”

This evening Skype has responded in their blog post, Security Vulnerability in Mac Client Has Been Addressed. To summarize:

  • Skype acknowledges they were aware of the vulnerability, not only via Pure Hackers but also their own internal processes
  • The issue was addressed in a “minor” update, version released on April 14, 2011

This vulnerability … is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype’s default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact.

However, they also stated:

As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week.

And go on to point out that customers will prompted to install a more comprehensive update to be released next week. But they made the following statement:

In the meantime, we recommend you update your software with the fix made available on April 14th, just click on Skype -> Check for Updates or you can download the software here.

I checked my installed version; it was I did the “Check for Updates” and was told there were “no updates”.

Bottom line: download the updated software here (version and install it to ensure you have no exposure to this vulnerability. And expect to be notified of a more comprehensive update next week.

You can’t win … when customers are heavily prompted to update, there are complaints; when they are not prompted the story somehow gets out  anyway. Decisions, decisions….

One final question: will this update address any of the issues discussed not only in my recent posts but also in several other online discussions (listed at the end of some of these posts).

Update: Dan questions why this issue even had to come to light in ??Skype’s Security Communication FAIL – Why Issue a HotFix If You Don’t Tell Anyone?

Enhanced by Zemanta

About Jim Courtney

Bringing over thirty years' experience in the sales, marketing and management of cutting edge technology businesses.

, , , , , , , , ,


  1. Skype for Mac 5 – Hotfix Update Now Available | Voice on the Web - May 9, 2011

    […] Skype released the promised Hotfix to Skype for Mac 5.1 that addresses the security vulnerability that was the subject of much Internet angst last […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.