Pure Hacking's Gordon Maddern, a tech security writer, has uncovered a zero-day vulnerability affecting Mac users of the popular chat platform Skype. He writes: "About a month ago I was chatting on Skype to a colleague about a payload for one of our clients. Completely by accident, my payload executed in my colleagues Skype client."
Further tests showed that the payload was only executing in Skype clients on Macs. Windows and Linux appeared to be safe. After using metasploit and meterpreter to produce a proof of concept, Maddern was able to gain a shell remotely using the Skype exploit.
Perhaps alarmingly, this information was brought to the attention of Skype's security team over a month ago, with the only response being a generic "Thank you, we'll get to that soon".
"The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac," Maddern writes. "It is extremely wormable and dangerous."
This bug was finally updated in a manually installable patch today.
If you're a heavy Skype user on your Mac, download the manual update to patch the bug. A full version update, as noted, should be available in the next week or so.