Australian security researchers at PureHacking wrote a blog post detailing a flaw in the Skype for Mac software. Skype and PureHacking seem to disagree on the potential effects of the attack, but Skype has a fix and will push an update out to users next week.
Only a few weeks after the revelation that the Skype for Android app left sensitive personal data on Android devices exposed for potential compromise, Skype has a new security issue to deal with in the form of a flaw in the Mac OS X client software which could allow an attacker to take control of a vulnerable Mac OS X system.
In the blog post describing the flaw, PureHacking notes that, “an attacker needs only to send a victim a message and they can gain remote control of the victim’s Mac. It is extremely wormable and dangerous.”
While Skype does acknowledge the issue in a blog post of its own, the Skype blog post simply says that an exploit of the flaw could cause the Skype for Mac software to crash, and doesn’t mention anything about a worm. In fact, the Skype post seems to downplay the possibility of a worm by pointing out that an attack would have to come from a contact you know because the default security settings won’t display messages from contacts you haven’t authorized.
In the end, it doesn’t really matter for two reasons. First, although Mac OS X is creeping up in market share and may soon be a target worthy of the effort, the fact is that attackers are busy developing attacks for Windows PCs because the potential payoff is much larger from the platform that has 90 percent market share than it is from the platform that has less than ten percent.
The second reason is that Skype already has a hotfix available that addresses the problem, and as of next week it will push out an updated version of the Skype for Mac software that resolves the problem as well. So, whether you choose to rush out and get the patch, or wait a week and get the larger software update, odds are good the problem will be fixed before you need to worry about a Mac worm pwning your system.