
Skype bug gives attackers root access to Mac OS X - jlangenauer
http://www.theregister.co.uk/2011/05/06/skype_for_mac_critical_vulnerability/
======
thought_alarm
No mention or actual "root" access, just "shell" access under the user's
account. While that's still bad, obviously, on its own it's certainly not
"wormable", as the article suggests.

More hysterical reporting from The Register.

~~~
bradleyland
I contacted the author asking him to verify the claim of "root" access, since
it makes a difference to those of who know what that is. He replied with an
apology and updated the headline.

~~~
udp
Maybe someone should change the title here here, too, then.

------
bigmac
_“About a month ago I was chatting on skype to a colleague about a payload for
one of our clients,” he wrote. “Completely by accident, my payload executed in
my colleagues skype client._

That means this thing is either BS or it is an egregious bug by the Skype
team. Remote code execution doesn't happen by chance.

~~~
lawnchair_larry
Not if skype renders javascript somehow. Amazon had a similar vulnerability in
the "preview this book" feature a few months ago. If you used it to preview
certain books that had example XSS payloads, you would get owned.

~~~
nbpoole
What does XSS have to do with remote code execution? I mean, it's possible for
a Javascript parser to have vulnerabilities that can lead to arbitrary code
execution, but the Amazon example seems in no way relevant here.

~~~
lawnchair_larry
Well, it's a Register article. I left open the possibility that they called
"remote script execution" remote code execution. They already said it gains
root access, but then later said it gives shell access, which is not the same
thing (since skype does not run as root).

I have no idea what the bug is, all I meant was that it wasn't completely out
of the realm of possibility to have something render a payload.

~~~
nbpoole
Fair enough. The article does link to the actual blog post though
([http://www.purehacking.com/blogs/gordon-
maddern/skype-0day-v...](http://www.purehacking.com/blogs/gordon-
maddern/skype-0day-vulnerabilitiy-discovered-by-pure-hacking)).

------
51Cards
This is how you do a security alert. Notify the manufacturer of the software,
notify the press so it is made public and thus people will install updates,
and keep the details secret until it's fixed. Kudos to the discoverer.

~~~
r00fus
You know, it's a bit of FUD since I have no workaround/prevention angle.

Great. I run skype on one of my machines (OSX) and it's now vulnerable...

~~~
cheald
Our solution is "Use Google Talk until it's resolved".

~~~
rmoriz
sadly no screen/desktop sharing

~~~
dools
Check out showscreen.com - it's better than Skype I reckon

------
nolanw
Any word on whether this affects version 2 of Skype for Mac OS X (the old
one), the current Skype 5.1, or both? Neither the article nor the linked blog
post would say.

If the former, I don't imagine they'll update it, and this might finally force
me to grab 5.1.

~~~
morganpyne
I'm been studiously avoiding the update since inadvertently installing it a
while ago and backtracking furiously shortly afterwards. I hope we get some
details on the versions affected and if the problem is present in v2 that we
also get a patch for that. If Skype uses this as an excuse to force the v5
upgrade they will have a lot of very unhappy people on their hands.

------
cheez
So I have to upgrade to the shitty skype now? I've been actively avoiding
v5...

~~~
lloeki
From what I've read v5 is affected but not the older, good one. Needs
confirmation though.

------
cobbal
The headline says root access, but I didn't see any references to it in the
article or its link. Does anyone know if it really is root access?

~~~
machrider
Frankly, getting a shell as my regular user on my machine can be just about as
devastating as getting root. Everything that's important to me is owned by my
user.

~~~
technomancy
If it doesn't have root access you can run it in a dummy user account until
it's patched.

Doesn't stop your machine from becoming a vector to attack other users on your
contact list though.

------
sdbryan
Why is this tabloid journalism featured in HN? Nowhere in the article is there
any indication how root access could be obtained. There should be at least
some description how privilege escalation could occur. I don't want arbitrary
code executing but that is a long way from root access. Even for shell access
the attacker needs the user's name and password. Does the target just offer
them?

~~~
nbpoole
You don't need a username and password for shell access if the application has
a vulnerability that allows for arbitrary code execution. Your code just
executes as the same user as the application. To elevate your privileges, you
would need to use a separate vulnerability once you have shell access.

------
bradleyland
Looks like it has been addressed:

[http://blogs.skype.com/security/2011/05/security_vulnerabili...](http://blogs.skype.com/security/2011/05/security_vulnerability_in_mac.html)

I submitted here as well:

<http://news.ycombinator.com/item?id=2522808>

~~~
mikeryan
I just ran "Check For Updates" and it told me I was up to date and I'm on
5.1.0.914.

So something is not working there.

~~~
dotBen
I get same.

Sometimes companies release minor updates that are reflected for fresh
downloads but don't have the auto-update mechanisms in existing clients to
download the update --- usually to save on bandwidth costs.

However, for a security patch that seems 'unfortunate'.

~~~
abraham
Skype's blog post specifically says you can update from the client.

------
benwerd
Not that I'm a conspiracy theorist, but is it a coincidence that Skype's been
in acquisition talks lately?

Also, can someone please create a viable Skype alternative that actually
works?

~~~
joeguilmette
Gmail in the browser is, in my experience, better than Skype. The voice and
video chat worked flawlessly from San Francisco to the Philippines where under
the exact same circumstances Skype stuttered and failed for video
conferencing.

Also - Gmail in the browser is integrated with Google Voice and Google Chat,
so you don't have to suffer through Skype's client just to chat. And in fact
you can continue chatting over your phone through SMS (for free) because
Google Voice is awesome.

~~~
moe
Hunting down browser tabs or detached browser windows is not my idea of a good
chat user interface.

~~~
joeguilmette
Google chat uses Jabber, so any Jabber compatible client will work (ie all of
them)

~~~
moe
As much as I wanted to like jabber (I gave it a fair chance with openfire for
almost a year), there are multiple problems, namely:

1\. Audio and Video calls do not work with "any compatible client". I have in
fact never gotten them to work at all.

2\. Most jabber clients are awful and buggy.

3\. Jabber support in multi-protocol clients is even _more_ awful and buggy.

4\. Nobody uses it, at least over here in europe.

5\. Everybody over here uses Skype. If there was a _reliable_ way to bridge
jabber<->skype then I would bite and switch again.

~~~
joeguilmette
1\. Yea, for Audio/Video you need to go to the browser (but the browser is
IMHO better than Skype for A/V)

2 & 3\. ICQ, AIM (I think), iChat, Trillian... Etc. I like all of them.

4\. At least in the States everyone uses Gmail (most everyone in SV that is)

5\. Skype is prevalent in the work environment, I just don't know why. It
sucks pretty hard and everyone hates it.

Just my opinion, I have had great success with Gmail/Google Voice and iChat
(for chat with my Gmail Jabber account)

------
ffffruit
This is a conspiracy from Skype to make us upgrade to the latest version of
the Mac client.

~~~
dotBen
It may be that the exploit isn't previous version.

The current version appears to have been built by the most moronic team of
developers ever who knows what crap made its way into the new client.

------
jarin
I hope while they're fixing this they can fix the terrible, terrible, UI bug
introduced in Skype 5 for Mac.

------
moeffju
My guess is that this is related to the Webkit component Skype 5 on Mac is
using for the IM window. So Skype 2/Mac should be safe, as are all other OSes.

Also, it's obviously not "root" unless there's a separate privilege escalation
bug in OS X.

------
loganlinn
I've been looking for a good reason to convince my team to switch from
Skype...

------
janulrich
I wonder which versions of Skype are affected? This might cause those trying
to hang on to the previous version with multiple windows to have to update.

------
RandallBrown
I wonder if you need to accept the attachment or if just sending it is good
enough.

If you have to accept it, then who cares, don't accept attachments from
strangers.

~~~
pudquick
Given that there is a known issue with the current version of Skype (5.x) for
Mac where if you have your language set to something odd, it'll render the
Skype chat windows in raw HTML tags ... I'm thinking the exploit is unescaped
HTML/Javascript, combined with the ability to launch local code.

If you read the original post from the hack team in question, they stated the
ability to at least get a local shell running as a result, so either there's
something resulting in launching local file content (like an interpreter, then
passing commands to it) or something able to crash Skype in an interesting and
controllable way.

Given that the original authors also stated that when he tested this on his
GF, she was unable to use Skype for awhile - I have a feeling it's chat
related, was stored in the client chat logs, and was re-launching / re-
executing whenever Skype was being opened.

