An Australian security researcher recently found a dangerous zero-day bug in the Skype client for Apple’s Mac computers which may be used by attackers to take control of a victim’s computer, various reports say.
Pure Hacking’s Gordon Maddern said he accidentally discovered the vulnerability a month ago and has also notified Skype about his discovery shortly after he proved it was exploitable.
However, Maddern wrote in his post that when he notified Skype, the company’s answer was the standard: “Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix.”
“About a month ago I was chatting on skype to a colleague about a payload for one of our clients. Completely by accident, my payload executed in my colleagues skype client.
I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. So I decided to test another mac and sent the payload to my girlfriend. She wasn’t too happy with me as it also left the her skype unusable for several days.
At this point I figured out what was needed to execute code. So I put together a proof of concept using metasploit and meterpreter as a payload. Low and behold I was able to remotely gain a shell.”
Mac users who use Skype are warned to be cautious and not accept messages or calls from strangers. You can download the patched and latest Skype client for Mac here. (download Skype 18.104.22.1682)