Over at Disruptive Telephony, Best Practices Chair of the VoIP Security Alliance, Dan York, summarizes recent reports on a security vulnerability in Skype for Mac.
Given that I basically live inside of Skype for Mac and use it extensively every day, this is obviously extremely concerning. Particularly because I do let anyone on Skype send me messages… and my Skype ID is easily found on my websites and many other locations (and since is rather obvious – “danyork”).
As a heavy user of Skype for Mac’s group chat feature, Dan questions why there has been no communications from Skype other than a response to ZDNet UK’s story where they say:
UPDATE (5:13pm): Skype has just sent ZDNet UK a statement promising a fix next week. The statement reads: “We are aware of this and will release a fix early next week to resolve the issue. We take our users privacy very seriously and are working quickly to protect Skype users from this vulnerability.”
This evening Skype has responded in their blog post, Security Vulnerability in Mac Client Has Been Addressed. To summarize:
- Skype acknowledges they were aware of the vulnerability, not only via Pure Hackers but also their own internal processes
- The issue was addressed in a “minor” update, version 220.127.116.112 released on April 14, 2011
This vulnerability … is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype’s default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact.
However, they also stated:
As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week.
And go on to point out that customers will prompted to install a more comprehensive update to be released next week. But they made the following statement:
In the meantime, we recommend you update your software with the fix made available on April 14th, just click on Skype -> Check for Updates or you can download the software here.
I checked my installed version; it was 18.104.22.1684. I did the “Check for Updates” and was told there were “no updates”.
Bottom line: download the updated software here (version 22.214.171.12420 and install it to ensure you have no exposure to this vulnerability. And expect to be notified of a more comprehensive update next week.
You can’t win … when customers are heavily prompted to update, there are complaints; when they are not prompted the story somehow gets out anyway. Decisions, decisions….
One final question: will this update address any of the issues discussed not only in my recent posts but also in several other online discussions (listed at the end of some of these posts).
Update: Dan questions why this issue even had to come to light in ??Skype’s Security Communication FAIL – Why Issue a HotFix If You Don’t Tell Anyone?
- Skype Bug Leaves Mac Users Vulnerable to Exploit (macstories.net)
- Expert: Skype for Mac hole can be used in remote attack (news.cnet.com)
- A bug in Skype for Mac could give hackers root access to OS X (thenextweb.com)
- Skype bug gives attackers root access to Mac OS X (theregister.co.uk)
- Skype vulnerability discovered by Pure Hacking (purehacking.com)
[…] Skype released the promised Hotfix to Skype for Mac 5.1 that addresses the security vulnerability that was the subject of much Internet angst last […]