Gordon Maddern, a member of a group of ethical hackers based in Australia that goes by the name of Pure Hacking, wrote in a blog post on Friday that he had identified the security flaw last month. “The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim’s Mac,” Maddern said.
Describing the flaw as “extremely wormable and dangerous,” Maddern contacted Skype to inform them of the issue and heard nothing back – until today. A short time after his post appeared on Pure Hacking’s blog, Skype posted a response on its own website in order to reassure users.
Adrian Asher, Skype‘s chief information security officer, confirmed that the company was indeed contacted by Maddern last month. Asher explained in the post that the issue was “related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype’s default privacy settings will not let you receive messages from people that you have not already authorized.”
In the post, Asher claims that they were already working on a fix when they heard from Pure Hacking, and as a result the Luxembourg-based company issued a hotfix (Skype for Mac version 188.8.131.522) on April 14. This update, however, was not pushed to Skype users “as there were no reports of this vulnerability being exploited in the wild.”
Asher goes on to announce that a new update, which will include the hotfix along with a number of other bug fixes, will be sent out next week. This update, however, will prompt users to install it. Asher’s post ends by recommending that users make sure they are running the latest version of Skype (with the April 14 fix). Mac users can check now by clicking here. Skype users with Windows and Linux are not susceptible to the vulnerability.
Founded in 2003, the company’s hugely popular VoIP application can have around 23 million users logged in and chatting at any one time. Recent reports have suggested that the company is in talks with both Google and Facebook regarding a possible joint venture or acquisition.