Gordon Maddern says he discovered the bug quite by accident, after mistakenly sending a payload for one of his clients to a colleague via Skype.
“I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac Skype client that seemed to be affected,” he says.
“So I decided to test another Mac and sent the payload to my girlfriend. She wasn’t too happy with me as it also left the her Skype unusable for several days.”
Maddern put together a proof of concept using metasploit and meterpreter as a payload, and found he was able to gain a shell remotely.
“The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim’s Mac. It is extremely wormable and dangerous,” he says.
Maddern says it took over a month for Skype to respond and issue a patch. It’s now done so, with 22.214.171.1242, which requires a manual update and will be pushed out next week.
“At the time they alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability, as we take our users’ security very seriously,” says Skype’s chief information security officer Adrian Asher.
“We subsequently released a hotfix for this problem in a minor update (Skype for Mac version 126.96.36.1992) on April 14th. As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week.”