Skype users on Mac OS X are dealing with some confusing information at the moment about whether Skype has fixed a remotely exploitable bug in the Mac client that was reported several weeks ago. The company said it released a patch in an optional minor update nearly a month ago, but it will push out another fix this week that will force users to upgrade.
The vulnerability affects only the Skype client for Mac OS X and enables an attacker to get complete control of a vulnerable machine by sending a malicious message to another user. Researchers at Pure Hacking in Australia reported the bug to Skype some time ago and Skype officials said that they were aware of the problem already and had a fix in the works. The patch that Skype released was part of version 18.104.22.1682, which the company made available on April 14. However, the fix was not made mandatory.
“At the time they alerted us, we were already aware of the issue and
were working on a fix to protect Skype users from this vulnerability, as
we take our users’ security very seriously. We subsequently released a
hotfix for this problem in a minor update (Skype for Mac version
22.214.171.1242) on April 14th. As there were no reports of this vulnerability
being exploited in the wild, we did not prompt our users to install
this update, as there is another update in the pipeline that will be
sent out early next week,” Skype’s Adrian Asher wrote on May 6.
“This new update will include some additional updates and bug fixes.
When it is released, we will notify all Skype for Mac users of the need
to update their software (the client will prompt the user to update).”
Gordon Maddern of Pure Hacking said that the bug is a serious one and that users should update to the newest version as soon as they can.
“The long and the short of it is that an attacker needs only to send a
victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous,” he wrote.