

Skype vulnerability discovered by Pure Hacking - voodookid
http://www.purehacking.com/blogs/gordon-maddern/skype-0day-vulnerabilitiy-discovered-by-pure-hacking

======
jimrandomh
There is easily enough information in this post for a reasonably clever
blackhat to rediscover the vulnerability. I'm reasonably certain I can guess
what it is.

So don't use Skype on Mac if you can help it, and if you must use it turn off
messages from sources not in your contact list.

------
dguido
"About a month ago I was chatting on skype to a colleague about a payload for
one of our clients,” he wrote. “Completely by accident, my payload executed in
my colleagues skype client."

If I had to guess, they were probably pasting back and forth JavaScript
"payloads" for an XSS and broke the parser that Skype is using for formatting
chat messages. Not that interesting.

Chat messages on Skype aren't exactly the most effective propogation mechanism
either. Don't you have to be approved as someone's friend before they can send
you a message? This probably won't be used in any massive attacks any time
soon. Until then, continue to annoy your girlfriends as the author apparently
did.

~~~
bradleyland
There are plenty of times where I believe threats are overhyped. This is not
one of them.

1) The default privacy setting in Skype is to allow anyone to send you a chat
message. I know plenty of Skype users who complain to me about random chat
messages, which indicates to me that they haven't changed their privacy
preferences yet.

2) Regardless of the type of payload they used, "Low and behold I was able to
remotely gain a shell." Remote shell. Through a Skype message. Would you give
a random person shell access to your computer? It's more than interesting,
it's terrible.

3) Spammers already infest the Skype network. If they discover this vuln
before Skype patches it, you can fully expect that it will be exploited.

There is no mention of priviledge escalation in the article, but once you have
a shell, the world is your oyster. There are bound to be exploitable services
locally on the machine. Once you're in, you've got the run of the place.

------
Jach
How long until Skype fixes it and we see the details? Skype seems really bad
about fixing/disclosing things. Anyone else remember this?
[http://forum.skype.com/index.php?s=17fbdf08801503eebf66d315f...](http://forum.skype.com/index.php?s=17fbdf08801503eebf66d315f03d14b6&showtopic=310121&st=20&p=1633781&#entry1633781)

HN page: <http://news.ycombinator.com/item?id=656174>

Edit: woops, my bad, apparently SkypeMate is independent.

------
tav
Skype claim to have already fixed the bug with their release last month on
April 14th:
[http://blogs.skype.com/security/2011/05/security_vulnerabili...](http://blogs.skype.com/security/2011/05/security_vulnerability_in_mac.html)

Sadly the fix seems to be only for the 5.x series and there's no indication
for holdouts like myself on whether 2.x is affected or not.

------
mahrain
Another scary thing here is that, since Skype 5.0 sucks so badly, many people
downgraded to 2.x and Skype probably will ignore that release when they fix
the vulnerability.

