Gordon Maddern caused quite a stir over the weekend when he blogged about a zero day vulnerability in the Mac OS X client of Skype. According to Gordon, who is part of Pure Hacking a security consultancy company, he discovered the vulnerability over a month ago and notified Skype. They responded with “Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix.” However after a month of silence Gordon decided to go public.
Skype responded quickly saying that the vulnerability has been fixed. “At the time they alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability… We subsequently released a hotfix for this problem in a minor update (Skype for Mac version 126.96.36.1992) on April 14th.”
However the problem was that since there were no reports of this vulnerability being exploited in the wild, Skype did not prompt its users to install this update, as, according to Skype, “there is another update in the pipeline that will be sent out early next week.”
Gorden has subsequently updated his blog: “We can confirm that skype has fixed this issue in 188.8.131.522. It requires a manual update. All prior versions are vulnerable. According to skype this patch will be pushed out next week.”
To update your Skype for Mac client just click on Skype -> Check for Updates or you can download the software here.
Analysis: Skype got this wrong by not notifying its users of the upgrade. A month is a long time in information security. If another hacker discovered the same flaw and launched an attack it could have harmed Skype’s reputation enormously.