Confusion over Skype for Mac security issue

Discussion in 'General Computing' started by reghakr, May 9, 2011.

  1. reghakr

    reghakr Excellent Member

    Joined:
    Jan 26, 2009
    Messages:
    14,220
    Likes Received:
    180
    Since the start of April there has been a serious security problem in the Skype for Mac client which could allow an attacker to remotely get access to a shell. Skype released a fix in the middle of April but did not push out an update notification as it believed the problem was not being exploited.

    The problem was identified by Gordon Maddern of Pure Hacking who, in a blog entry, explained how he had discovered the problem by accident while exchanging payload files with a colleague. Upon investigation, he found the problem only affected the Mac version of Skype and, with some work, was able to put together an exploit which allowed him to remotely gain access to a shell.

    After some trouble finding out who to notify, Maddern eventually got in contact with the Skype security team and was told "we are aware of this issue and will be addressing it in the next hotfix". He decided to go public on the issue since it was over a month since he had informed them and no fix had apparently been released. "An attacker needs only to send a victim a message and they can gain remote control of a victim's Mac" said Maddern, adding that "it is extremely wormable and dangerous". Pure Hacking did not release further details of the issue.

    Unknown to Maddern though, Skype had released a patched version 5.1.0.922 on 14 April but had decided that it would not prompt users to update to the new version. According to a posting in the Skype Security blog, as there were no reports of the vulnerability being exploited and as a larger update was due this month, it decided it would not prompt users to install an update. It did update the downloadable version for new installations and manually checking for updates would get the new version.

    Pure Hacking have confirmed that 5.1.0.922 does close the hole. Skype also noted that the vulnerability would have to come from someone in a user's contact list; Skype's default privacy settings do not allow users to receive messages from users who have not been authorised. Skype recommends users manually update their Skype 5.x installations by selecting Skype -> Check for Updates.

    It is unclear if version 2.8 of the Mac Skype client is susceptible; Skype refer to the issue as a problem with Skype for Mac 5.x. A large number of Mac Skype users still run version 2.8 because of unhappiness with version 5.0's radically changed user interface. Skype says the Windows and Linux versions of the client are unaffected by the problem.

    Source: Confusion over Skype for Mac security issue - The H Security: News and Features
     
  2. reghakr

    reghakr Excellent Member

    Joined:
    Jan 26, 2009
    Messages:
    14,220
    Likes Received:
    180
    Macs are completely vulnerable to a zero day flaw which allows hackers to gain control of the user's system using the message system in Skype.

    Aussie insecurity outfit Pure Hacking has told AP that the vulnerability in Skype was dangerous.

    Apparently the Mac's faith-based security implodes if someone sends it a malicious instant message.

    Writing in his blog Gordon Maddern, wrote that he first discovered the bug when he sent a client's payload to his colleague on Skype.

    Later he wrote a proof-of-concept malicious pay-load and tested it on Skype.

    An attacker needs only to send a victim a message and they can gain remote control of the victim's Mac. It could be designed to link to a worm and turn the mac into a zombie network. Well, at least, a different one from iTunes.

    Maddern told Skype about the vulnerability about a month ago and got a reply informing that it was aware of the problem and would release a patch for it soon.

    After a month Maddern decided to tell peoplec about the vulnerability. He said he had withheld a few details so hackers could not write much code based around the flaw.

    Skype released a patch in a few days which the outfit claims completely fixes the vulnerability.

    Although Zero day bugs exist on other computer systems, cracking open a Mac by sending a message on Skype seems to be a bit easy.

    Still Apple users are usually secure in the fact that there is not enough of them for a hacker to be interested, and after all, who will want to copy a Mac User's Coldplay collection?

    External links
    http://www.www.purehacking.com .

    Read more: Skype zero day bug opens Mac security can of worms - All your Coldplay will be owned by hackers | TechEye
     

Share This Page

Loading...