Those running Skype on OS X are vulnerable to an exploit that allows attackers to gain root access on target machines. Through an instant message, attackers could deliver a malicious payload that would give them remote access via a shell. The severity of the issue has already been addressed by the Skype team, and should be fixed in a future update. In the meantime, a proof of concept reveals the need for caution with recent OS X security warnings and concerns.
Gordon Maddern of Pure Hacking, using a payload derived from the Metasploit framework, was able to send colleagues malicious messages that are able to execute on their remote machines. The Register’s Dan Goodin reports that while Maddern didn’t clarify what specific interactions were needed on the receiver’s end to activate the payload, access to a victim’s machine may potentially give attackers the ability to spread the infection to other machines on the local network, or again via Skype.
The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.
This news follows a week where Google Images became a vector to spread malware on OS X.
Taking advantage of how Safari handles downloads by default, MacDefender malware has been targeting users browsing Google Images. By scaring recent converts with the possibility that their machines are infected, users are asked to install software to remove the threat. Of course, people still fall for these common methods of attack, and new Mac users may not be fully aware of how their new machines operate.
Update: This evening, Skype made a statement on their security blog addressing that the issue has already been fixed. However, it’s not yet available as an in-app update.
This vulnerability, which they blogged about earlier today, is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype’s default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact.
A hotfix was released in version 126.96.36.1992 of Skype for Mac on April 14th which needed to be downloaded manually. If haven’t yet updated to a more recent version, now would be the time to launch the Skype app and check for an update. Older versions of Skype will push you to the download page where you can update to the most recent version – you’ll have to download Skype manually if you’re on a more recent version as a commenter pointed out below. Next week, Skype will push the hotfix as an in-app update for otherwise up-to-date users.