Hi there! I’m the latest “wants-to-be-friends” friendly surfing Skype, and if you add me now, I promise I won’t exploit a security vulnerability that lets me take super-secret command of your Mac, or even—on a whim—expunge every last byte you hold precious! Actually you don’t need to add me at all–this next message should do the trick: “Hi! This is FilthyManners6793 and I want to be your special friend!” See? That’s all it takes. Do not attempt to adjust the picture. I’m in the driver’s seat now, and what happens next is going to seem not-so-positively magical.
I’m kidding, of course, but the issue’s no joke. Security firm Pure Hacking says filthy-mannered hackers can gain remote control of another Mac running Skype–Windows and Linux, you’re off the hook–by simply sending the intended victim a message. Pure Hacking’s Gordon Maddern reported the “0day” Skype vulnerability last week–in fact he says he discovered it “over a month go.”
“The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac,” wrote Maddern on his blog last Friday. “It is extremely wormable and dangerous.”
Maddern said he had a tough time figuring out who to contact at Skype (Skype’s contact process is famously deplorable) and when he finally did, all he got was a canned response, basically “thanks, we’re on it, look for a hotfix soon.” A month on, Maddern said the issue remains.
Now Inquirer reports that Skype already issued the hotfix on April 14, but only as a manual update. They’ll reportedly switch to something prompt-based later this week. I’m not sure I buy the dismissive reasoning for the delay, that “there were no reports of this vulnerability being exploited in the wild, [so] we did not prompt our users to install this update.” There’s another update in the offing, it seems, and they wanted to bundle the two together.
I just initiated a manual client update (from version 184.108.40.2064) and it looks like the hotfix is version 220.127.116.112, about 20.2 MB. You can grab it now by selecting “check for updates” under “skype” on the menubar, or wait until you’re prompted for it (and whatever else Skype’s planning) later this week.
I wouldn’t wait.