Skype's dangerous exploit: What you need to know

Skype for Mac has a dangerous and wormable zero-day vulnerability

Security researchers revealed a dangerous exploit in Skype for Mac which can be exploited to create a worm that can take control of Mac PCs. This FAQ will help you understand the potential impact of the threat, and what you can do to protect your system.

What is the vulnerability? PureHacking, an Australian security research firm published a blog post describing a vulnerability and proof of concept exploit affecting Skype for Mac.

What is the potential risk? The researchers at PureHacking and the developers at Skype seem to disagree on the scope of the threat. PureHacking claims to have developed a proof-of-concept exploit that allows the attacker to take complete control of the vulnerable Mac system, and states that the flaw is easily wormable and extremely dangerous.

Skype's seems to believe the threat is much more limited. Skype explains that a message from a malicious contact could cause the Skype for Mac software to crash, and stresses that default privacy settings in Skype restrict the impact because you can only received messages from your authorized list of contacts.

There is a pretty big difference between "limited threat that crashes the Skype client" and "dangerous worm that pwns Mac PCs". PureHacking may lean toward "sky is falling" for the sensationalism, while Skype has a motive for erring on the side of "no big deal". Lets assume the truth is somewhere in the middle.

Is my version of Skype affected? According to the Skype blog post, only Skype for Mac 5.x is affected. Earlier versions are not vulnerable to this exploit.

What about Skype on Windows or Linux? The flaw only exists in the Skype for Mac client. PureHacking investigated the issue on Skype for Windows, and Skype for Linux and found that the exploit does not work on those platforms.

Is this related to the Skype for Android app issue? No. The issue with the Skype for Android app was a configuration error by Skype that left a database containing sensitive data open and unencrypted. This vulnerability is a flaw that enables a specially-crafted Skype message to execute malicious code on the target Mac OS X system.

Should I be concerned? The risk of exploit is virtually nil for Mac OS X. Despite assertions by Apple loyalists that Mac OS X is simply more secure by default and virtually impervious to attack, the annual Pwn20wn contest, and the proof-of-concept exploit developed by PureHacking for this threat demonstrate otherwise. That said, Mac OS X is still a drop in the bucket for PC market share and malware developers have their attention focused on the big pool, so there is little risk of this being exploited in the wild any time soon.

Is there a fix? Skype claims to have been aware of the issue even before PureHacking brought it to its attention, and has already developed a hotfix which has been available since April 14. Skype has not pushed the hotfix, though, because it is not aware of this flaw being exploited in the wild. Next week, Skype will push an updated version of Skype for Mac 5.x which resolves the problem, and includes a variety of other tweaks and fixes as well.

What should I do? If you are really concerned, get the hotfix from Skype and apply it now. If you prefer, though, you can probably just wait until next week when Skype unleashes the updated version.

Join the CSO newsletter!

Error: Please check your email address.

Tags wormsskypeMac OSsecuritysoftwareoperating systemsmalware

More about AppleLinuxPure HackingSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place