Skype Preps Patch For Malicious Mac Infection

Dennis Faas's picture

Online phone service Skype is preparing to fix a bug in the Mac edition of the system that could allow hackers to take control of a computer remotely. The site that discovered the bug has accused Skype of dragging its heels on the issue.

Gordon Maddern of purehacking.com says he discovered the bug entirely by mistake. He was talking to a colleague on a Skype connection about some code written for a client. To his surprise he was able to make the code run on his colleague's computer.

Upon closer examination, Maddern discovered that the hack only worked where the recipient's computer was a Mac: both Windows and Linux versions were unaffected. He also found that, while in the first instance the transmitted code had run within Skype itself, it was possible to gain shell access to execute arbitrary programs and commands.

Skype Bug Could Lead to Worm Effect

According to Maddern, the flaw is "extremely wormable," meaning that a hacker could set up a chain reaction by which one hacked computer could automatically seek out other connected Skype-enabled Macs, infect them, then pass the code on to their list of contacts, and so on. Done effectively, such a technique could infect a vast number of computers in short order.

There is an important limitation in that the code can only be spread between Skype users who have actively added one another as contacts on the system (similar to adding a friend's details to an address book) and can't be passed on to strangers.

Full Details Kept Confidential For Now

Maddern informed Skype about the issue and was told it would be addressed in the next security update. When this didn't happen and there had been no action for a month, Maddern publicized the problem, while vowing to keep the full details under wrap until it had been addressed. (Source: purehacking.com)

Skype Officially Releases Fix for Mac This Week

Skype has now fixed the issue in the latest edition of the Mac software (5.1.0.922).

The new version is scheduled to be sent out automatically this week, though users can manually install it now. The company says it did make a fix available in mid-April but chose not to make it an automatic update at the time as there was no evidence that hackers were both aware of the bug and exploiting it. (Source: skype.com)

Rate this article: 
No votes yet