Earlier today, security researcher Gordon Maddern of Pure Hacking reported on a security vulnerability he accidentally discovered in Skype's software for Mac OS X, a vulnerability that he said he disclosed to the company a month ago and had yet to be patched.
I notified them on the security vulnerabilitity and I was given the standard:
"Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix"
That was over a month ago and there still has not been a fix released. The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.
Skype quickly responded on its security blog, noting that the company was already aware of the issue by the time Maddern reported it and had in fact issued a fix for it as part of a minor update to Skype for Mac released on April 14th. But because exploits for the vulnerability had not been reported in the wild, the company opted not to prompt existing users to apply the update.
Skype says that another update for the company's Mac software is set to launch early next week, and users will be prompted to update at that time. But in the meantime, Skype does recommend that users aware of the issue simply manually check for updates to get the current patched version.
This new update will include some additional updates and bug fixes. When it is released, we will notify all Skype for Mac users of the need to update their software (the client will prompt the user to update). In the meantime, we recommend you update your software with the fix made available on April 14th, just click on Skype -> Check for Updates or you can download the software here.
The vulnerability affects only the Mac OS X version of Skype, and thus clients for other platforms such as Windows and Linux will not require an update.
Top Rated Comments
Put your tinfoil hat away, there's no proof or motive of this. Besides, Skype is Peer to Peer, which means recording a conversation is next to impossible, because it doesn't go through a central server. If Skype clients were uploading recordings, people would notice.
Yeah we know "where" it is. He's saying it should be front and center on Page 1.
But I guess security stories aren't as important as a new ambient light sensor.
-Kevin
also -- apple has a role here: "control of victim's mac" shouldn't be possible without at least a password prompt
A possible workaround I suppose would be: allow chats from - only people in my contact list
I do wish they'd fix their stupid hideous software :(