THIS WEEK'S SPONSOR:

Kolide

Endpoint Security for Teams That Slack - Try Kolide for Free Today!


Skype Bug Leaves Mac Users Vulnerable to Exploit: Updated

Those running Skype on OS X are vulnerable to an exploit that allows attackers to gain root access on target machines. Through an instant message, attackers could deliver a malicious payload that would give them remote access via a shell. The severity of the issue has already been addressed by the Skype team, and should be fixed in a future update. In the meantime, a proof of concept reveals the need for caution with recent OS X security warnings and concerns.

Gordon Maddern of Pure Hacking, using a payload derived from the Metasploit framework, was able to send colleagues malicious messages that are able to execute on their remote machines. The Register’s Dan Goodin reports that while Maddern didn’t clarify what specific interactions were needed on the receiver’s end to activate the payload, access to a victim’s machine may potentially give attackers the ability to spread the infection to other machines on the local network, or again via Skype.

Maddern writes,

The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.

This news follows a week where Google Images became a vector to spread malware on OS X.

Taking advantage of how Safari handles downloads by default, MacDefender malware has been targeting users browsing Google Images. By scaring recent converts with the possibility that their machines are infected, users are asked to install software to remove the threat. Of course, people still fall for these common methods of attack, and new Mac users may not be fully aware of how their new machines operate.

Today, Ed Bott from ZDNet detailed what an attack might look like if it happens to you.

Update: This evening, Skype made a statement on their security blog addressing that the issue has already been fixed. However, it’s not yet available as an in-app update.

This vulnerability, which they blogged about earlier today, is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype’s default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact.

A hotfix was released in version 5.1.0.922 of Skype for Mac on April 14th which needed to be downloaded manually. If haven’t yet updated to a more recent version, now would be the time to launch the Skype app and check for an update. Older versions of Skype will push you to the download page where you can update to the most recent version - you’ll have to download Skype manually if you’re on a more recent version as a commenter pointed out below. Next week, Skype will push the hotfix as an in-app update for otherwise up-to-date users.

Unlock More with Club MacStories

Founded in 2015, Club MacStories has delivered exclusive content every week for over six years.

In that time, members have enjoyed nearly 400 weekly and monthly newsletters packed with more of your favorite MacStories writing as well as Club-only podcasts, eBooks, discounts on apps, icons, and services. Join today, and you’ll get everything new that we publish every week, plus access to our entire archive of back issues and downloadable perks.

The Club expanded in 2021 with Club MacStories+ and Club Premier. Club MacStories+ members enjoy even more exclusive stories, a vibrant Discord community, a rotating roster of app discounts, and more. And, with Club Premier, you get everything we offer at every Club level plus an extended, ad-free version of our podcast AppStories that is delivered early each week in high-bitrate audio.

Choose the Club plan that’s right for you:

  • Club MacStories: Weekly and monthly newsletters via email and the web that are brimming with app collections, tips, automation workflows, longform writing, a Club-only podcast, periodic giveaways, and more;
  • Club MacStories+: Everything that Club MacStories offers, plus exclusive content like Federico’s Automation Academy and John’s Macintosh Desktop Experience, a powerful web app for searching and exploring over 6 years of content and creating custom RSS feeds of Club content, an active Discord community, and a rotating collection of discounts, and more;
  • Club Premier: Everything in from our other plans and AppStories+, an extended version of our flagship podcast that’s delivered early, ad-free, and in high-bitrate audio.