A tech writer of an Australia-based Internet security firm uncovered a 0-day bug in the popular VoIP client Skype that allows hackers to gain control of Mac OS X machines by sending an instant message.
Gordon Maddern of Pure Hacking said he accidentally discovered the bug while chatting with a colleague through Skype about a certain payload. His payload suddenly executed in his colleague’s Skype client.
After further testing by Maddern he also discovered that the Windows and Linux Skype clients were not affected. He said it was only the Mac version that seemed to be vulnerable. "So I decided to test another Mac and sent the payload to my girlfriend. She was not too happy with me as it also left her Skype unusable for several days," he added.
Maddern then studied what was needed to execute code and put together a proof of concept using metasploit and meterpreter as a payload. He later found out that he was able to gain remote shell access.
The gist here is that a would-be attacker only needs to send a victim an instant message and he can access everything in the victim's Mac through the exploit. The whole process can be made into a Trojan and a worm virus Maddern said.
What is bothering here is that Maddern already reported the bug to Skype’s security team over a month ago, with Skype responding with a generic reply "Thank you for showing an interest in Skype security, we are aware of this issue and will be addressing it in the next hotfix."
Skype's chief information security officer Adrian Asher said in a press statement, "At the time they alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability, as we take our users' security very seriously."
He said that they had earlier released a hotfix for this problem in a minor update (Skype for Mac version 18.104.22.1682) last April 14 and since there were no reports of hackers exploiting the bug, Skype did not prompt users to install this update, as there is another update coming that will be sent out to all Mac users early next week.
Pure Hacking will not give details on how to perform this attack until a security patch from Skype is released. Maddern said he was surprised that Skype overlooked what seemed to be a basic problem in the Mac client.