Skype's Mac worm hype, scope out the free update

Alex Zaharov-Reutt
Tuesday, 10 May 2011 13:37

Your IT - Home IT

If you're running Skype on a Mac, the word has come that you need to apply a free update to whack a worm and make it squirm and scoot off into oblivion.

Updated: While Skype users on Windows and Linux platforms aren't affected, a vulnerability in the Mac version of Skype (versions 5.x and older) lets an existing Skype contact send you a message with a wormy payload.

While Skype actually fixed this bug waaay back on April 14 with Skype for Mac version 5.1.0.922, it didn't deem the update critically necessary and thus didn't show up as a new version even if you clicked on 'Skype' in the toolbar and then clicked 'check for updates'.

At Skype's Security Blog post states: "As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week.

"This new update will include some additional updates and bug fixes. When it is released, we will notify all Skype for Mac users of the need to update their software (the client will prompt the user to update)."

The next sentence says: "In the meantime, we recommend you update your software with the fix made available on April 14th, just click on Skype -> Check for Updates or you can download the software here."

I clicked check for updates and received the message that no updates were available, and because I had updated Skype only very recently, I thought I had the right update. Others are reportedly seeing the same behaviour, so the manual download is the only way if you're still on 5.1.0.914 and prefer the safety of the 922 update.

Aussie security firm Pure Hacking discovered the bug and notified Skype about it, and as it took Skype a while to respond, which prompted Pure Hacking's disclosure, the bug has been fixed.

You can read Pure Hacking's post here, but a salient passage says: 'The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.'

Pure Hacking also says the bug affects all previous versions of Skype for Mac, although Skype's Security blog only refers to Skype for Mac 5.x.

Skype's Security Blog states that it was contacted by Pure Hacking 'last month' which is 'related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype's default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact.'

Skype's Security Blog continues saying that Skype was 'already aware of the issue and were working on a fix to protect Skype users from this vulnerability, as we take our users' security very seriously.'

We can all thank the ethical hackers of the world for bringing these kinds of security issues to light, shaming companies where necessary into action to not only disclose problems but fix them promptly, too.

Thus, while the hype over the Skype for Mac worm is real, there's no need for hope, just scope out next week's free update, and if you haven't already download and install the manual update now!