Don't attack people!
Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!
Apple Security Alert Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 05/06/2011 4:33:50 PM PDT by Swordmaker
'Extremely wormable and dangerous'
Mac users running Skype are vulnerable to self-propagating exploits that allow an attacker to gain unfettered system access by sending a specially manipulated attachment in an instant message, a hacker said.
“The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim's Mac,” Gordon Maddern of Australian security consultancy Pure Hacking blogged on Friday. “It is extremely wormable and dangerous.”
The vulnerability, which Maddern said isn't present in the Windows or Linux versions of the popular VoIP program, was confirmed by Skype spokeswoman Brianna Reynaud, who said a fix will be rolled out next week. Its disclosure comes the same week that researchers discovered a new crimekit that streamlines the production of Mac-based malware. It also comes as new malware surfaced for Apple's OS X that masquerades as a legitimate antivirus program.
Reynaud said there are no reports that the Skype vulnerability is being actively exploited.
Maddern said he stumbled on the critical flaw by accident.
“About a month ago I was chatting on skype to a colleague about a payload for one of our clients,” he wrote. “Completely by accident, my payload executed in my colleagues skype client. So I decided to test another mac and sent the payload to my girlfriend. She wasn't too happy with me as it also left the her skype unusable for several days.”
He then set out to write proof-of-concept attack code that used payloads borrowed from the Metasploit exploit framework. The result: a Skype exploit that allows him to remotely gain shell access on a targeted Mac. Because it's sent by instant messages, it might be possible to force each infected machines to send the malicious payload to a whole new set of Macs, causing the attack to grow exponentially.
Maddern didn't say what interaction is required on the part of the victim, and he didn't immediately respond to an email seeking clarification. His blog post says he notified Skype of the vulnerability more than a month ago, and that he will withhold specific details until a patch is released to prevent malicious attacks. ®
The headline in this article was updated to correct the nature of the vulnerability. It remotely gives shell access.
If you want on or off the Mac Ping List, Freepmail me.
It remotely gives shell access.What are the limitations of "shell access?"
Not much limitation... user access. So don't run as administrator. This is not good.
Why is Skype running data in an executable area??? That is stupid and unforgivable!
Better idea... don’t run Skype...
I am actually amazed Skype could even do that. I find Apple products usually are not as loose as that.
***So don’t run as administrator. This is not good.***
So what do you do if you’re an only user and have to be administrator?
The update says:
“...a hotfix for the vulnerability was released in mid April.
‘As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week,’ Skype’s Adrian Asher wrote.
He added:
This vulnerability, which they blogged about earlier today, is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype’s default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact.”
All I can find - that it messes up skype on the “affected computer”? So - “self-propagating” means that a user has to manually send it to another user? I guess I don’t understand...
Also - this is a problem with Skype’s code, not Apple’s... Yes?
Why would you skype when you can facetime?
You don't have to be the administrator even if you are the only user. Go into system preferences, select Accounts, create a new administrator user (give it an imaginary, difficult but memorable name such as "Senat0rF0gh0rnLegh0rn" [those are zeros where the 'Os' are, just don't use "Admin"!], and a hardened password that you won't forget), make that account an administrator. Turn on Fast User Switching in Login Options (that's at the bottom of the user list)... with the Name option selected. I'd turn off Automatic login. Now Log Off your account. Log into the new Administrator. Change your usual account to Standard User. Lock the Accounts Pane by clicking on the padlock in the lower left corner. Log Off the new Administrator account...
Log back into your usual account and continue your usual operations. You can still add software and install stuff, but you will have to provide the new Administrator name and password when you need to do that... a much safer way of operating. You can always switch to the Administrator for long jobs requiring administration by clicking on your name on the upper right of the menu bar and selecting the Admin account... and logging on. Always remember to log off the Admin account when not using it.
It's my understanding that this affects Skype 5, the latest version. The older versions are not affected. Still, very stupid on Skype's part.
Well that sucks, I just loaded it to see my grandsons who are in Germany with their dad who is stationed there.
Unless I'm missing something, shell access (SSH) would have to have been previously enabled on the target Mac.
Sigh... Adding insult to injury. I'm a Mac and Skype user and I hate the latest version of Skype! Unfortunately, I'm not the most computer-literate person in the world (hence my preference for Macs) and I need to figure out how to ditch this current "upgrade" of Skype and bring back my old version.
I really, really hate the latest Skype upgrade! Did I mention that I really hate this latest version of Skype?
Yes, but Apple should prohibit the access that Skype is using...
Most likely true... and unless you have activated ROOT not too dangerous.
Uh, no, would you care to repeat that?
Do you still have the old installation file for Skype in the Downloads folder (or possibly in the Trash folder)? If so you can go to the Applications folder and drag Skype to the Trash. Then click on the old installation file to install the old version.
Unless I've been stupid and changed that default, I wouldn't put too much store by that - I've had some spam in Skype messenger.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.