Confusion over Skype for Mac security issue - Update
Since the start of April there has been a serious security problem in the Skype for Mac client which could allow an attacker to remotely get access to a shell. Skype released a fix in the middle of April but did not push out an update notification as it believed the problem was not being exploited.
The problem was identified by Gordon Maddern of Pure Hacking who, in a blog entry, explained how he had discovered the problem by accident while exchanging payload files with a colleague. Upon investigation, he found the problem only affected the Mac version of Skype and, with some work, was able to put together an exploit which allowed him to remotely gain access to a shell.
After some trouble finding out who to notify, Maddern eventually got in contact with the Skype security team and was told "we are aware of this issue and will be addressing it in the next hotfix". He decided to go public on the issue since it was over a month since he had informed them and no fix had apparently been released. "An attacker needs only to send a victim a message and they can gain remote control of a victim's Mac" said Maddern, adding that "it is extremely wormable and dangerous". Pure Hacking did not release further details of the issue.
Unknown to Maddern though, Skype had released a patched version 220.127.116.112 on 14 April but had decided that it would not prompt users to update to the new version. According to a posting in the Skype Security blog, as there were no reports of the vulnerability being exploited and as a larger update was due this month, it decided it would not prompt users to install an update. It did update the downloadable version for new installations and manually checking for updates would get the new version.
Pure Hacking have confirmed that 18.104.22.1682 does close the hole. Skype also noted that the vulnerability would have to come from someone in a user's contact list; Skype's default privacy settings do not allow users to receive messages from users who have not been authorised. Skype recommends users manually update their Skype 5.x installations by selecting Skype -> Check for Updates.
It is unclear if version 2.8 of the Mac Skype client is susceptible; Skype refer to the issue as a problem with Skype for Mac 5.x. A large number of Mac Skype users still run version 2.8 because of unhappiness with version 5.0's radically changed user interface. Skype says the Windows and Linux versions of the client are unaffected by the problem.
Update - Skype has now announced a hotfix update to Skype for Mac 5.1; this update will be pushed to Skype for Mac users who will be notified that it is available for download. The hotfix, version 22.214.171.1245, includes the security fixes mentioned above, a fix for video freezing and also resolves other minor bugs.