Posted on 05/06/2011 4:33:50 PM PDT by Swordmaker
'Extremely wormable and dangerous'
Mac users running Skype are vulnerable to self-propagating exploits that allow an attacker to gain unfettered system access by sending a specially manipulated attachment in an instant message, a hacker said.
The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim's Mac, Gordon Maddern of Australian security consultancy Pure Hacking blogged on Friday. It is extremely wormable and dangerous.
The vulnerability, which Maddern said isn't present in the Windows or Linux versions of the popular VoIP program, was confirmed by Skype spokeswoman Brianna Reynaud, who said a fix will be rolled out next week. Its disclosure comes the same week that researchers discovered a new crimekit that streamlines the production of Mac-based malware. It also comes as new malware surfaced for Apple's OS X that masquerades as a legitimate antivirus program.
Reynaud said there are no reports that the Skype vulnerability is being actively exploited.
Maddern said he stumbled on the critical flaw by accident.
About a month ago I was chatting on skype to a colleague about a payload for one of our clients, he wrote. Completely by accident, my payload executed in my colleagues skype client. So I decided to test another mac and sent the payload to my girlfriend. She wasn't too happy with me as it also left the her skype unusable for several days.
He then set out to write proof-of-concept attack code that used payloads borrowed from the Metasploit exploit framework. The result: a Skype exploit that allows him to remotely gain shell access on a targeted Mac. Because it's sent by instant messages, it might be possible to force each infected machines to send the malicious payload to a whole new set of Macs, causing the attack to grow exponentially.
Maddern didn't say what interaction is required on the part of the victim, and he didn't immediately respond to an email seeking clarification. His blog post says he notified Skype of the vulnerability more than a month ago, and that he will withhold specific details until a patch is released to prevent malicious attacks. ®
The headline in this article was updated to correct the nature of the vulnerability. It remotely gives shell access.
Well, the vermin are beginning to crawl out of the woodwork at last. As they say, it is not at all the beginning of the end, but it is the end of the beginning. Macs are now officially a target species. Hurrah! (It is a milestone of sorts, eh?)
From TFA:
> Maddern didn't say what interaction is required on the part of the victim, and he didn't immediately respond to an email seeking clarification.I'll be interested to learn if it circumvents the usual Mother-may-I prompts for administrative access password.
Now, let's see.... I use Skype all day, every day, on both Mac OS-X and Windows 7, and occasionally on my iPod Touch. I cannot function at work without Skype these days, because a few hundred people contact me on skype every week, and won't or can't use other means (email, phone).
And naturally, I'm up-to-date on Skype releases, so I'm using Version 5 everywhere.
Drat. Damned vermin.
So what gets sent, really? I read this:
> ...sending a specially manipulated attachment in an instant message...Do they mean dropping a file into the chat? I do that occasionally; people do that occasionally to me. But I never chat, much less accept files from, unknown people. I suppose someone could manage to masquerade as a user I know...
Yeeeechhhh!
Well, Skype will patch the bug, and Apple will close the hole, and all will be well until the next one...
Thanks for that explanation; I’ll do that.
Not sure that will stop this particular vulnerability, tho.
But can you confirm that the bug is only for the latest version of Skype? I’m pretty sure I never upgraded; I’ll check that if it would make a difference . . .
I logged off my Mac and powered it down for the weekend; will make the check and the changes you suggest if they will presumably be adequate.
Otherwise I could be tempted to use my netbook for a week if that will tide me over ‘til the update is released. Having dear ones abroad, taking Skype off isn’t a good option at all.
> Most likely true... and unless you have activated ROOT not too dangerous.
I wouldn't be so sure.
"Shell access" means you have access to the "shell", the level of the operating system where commands are spawned. It is NOT limited to SSh access, which is a specialized way of getting a remote shell on another machine. While it's true that SSh access on machine A is turned off by default (thus machine B cannot SSh into A), that doesn't have any effect on access within machine A to the shell layer of the OS.
The way I read this, they're saying that the malware gains the ability to execute programs on the infected machine.
No, I can't because I have seen nothing beyond this posting. I am not even sure it's legit. I can't quite see how it's being accomplished, much less how it can affect a Mac and not other Skype clients. It may be FUD for all I know at this point.
>> It remotely gives shell access.
Impressive access for a chat client. What else can it do?
Hey now.
Isn’t the point of Mac more or less, that one does (not) run as Administrator?
After all, running in Administrator, is pretty much Windows.
There are two levels of administrator in OSX... administrator and ROOT. Root is turned off by default in OSX. That is essentially the "Superuser" level that all WindowsXP users start out using. . . and the administrator level that Windows7 users have.
Thanks, Swordmaker, for the helpful information. What would we single users with no IT do without you?
> Hey now.
And they say computer geeks don't get any... HA!
We just do it by Skype, that's all....
Things have certainly changed since the floppy disk era.
Confirm: You are saying that Win7 users are superusers in the same way that XP users are? I had the impression that W7 was better in that regard??
No, they are a lot better. But their administrator level is a superuser level. They just don't have ALL their users at administrator level any more. Win7 users are standard users.
Almost everything about Skype code is stupid and unforgivable. And that was before MS bought them.
ApparentlySkype releases patch for zero-day vulnerability in Skype 5 for Mac
your information was correct about that. Turns out I, having never updated to Skype 5, needn't have worried.
But I do worry about that sort of thing. Which makes the fact that the alarms which have a realistic basis are few and far between on the Mac a significant benefit to me.
Sometimes it pays not to update!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.