Feeds

back to article Skype bug gives attackers access to Mac OS X machines

Mac users running Skype are vulnerable to self-propagating exploits that allow an attacker to gain unfettered system access by sending a specially manipulated attachment in an instant message, a hacker said. “The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control …

COMMENTS

This topic is closed for new posts.

we'll hear real contrary news later

I expect it will sound like this:

1) you have to accept or in some other way interact with the attachment, it can;t auto-execute.

2) gaining shell access is not gaining root access.

3) root access is only gained if previously enabled (not the default, and not commonly done by accident).

4) it only works for people on your friends list

5) some settings in Skype that are not the default may need to be set, turned on/off.

6) since use of skype essentially required using a current version, by the time an ITW exploit exists, all active skype users will be patched and this attack vector will be useless.

7) though in some cases (noted) root access can be attained, installation of executable code is still not possible without further user interaction, including entering of the keychain password.

1
4
Bronze badge

whew, close call...

I wiped Skype off my iBook about three years ago after trying it out and finding it to be a slow, bandwidth-sucking, useless pain in the ass.

Good points, too. Basically, it'll be like someone you're talking with saying to you, "hey, I have this executable I'd like to run on your Mac. Can you give me shell access? Let me know when you've done it."

0
4
Bronze badge
Thumb Up

Good points

Although the likelihood of a hacked PC belonging to someone in your contacts list is still not negligible. Numbers alone make it less probable that it will be a Mac, but given the number of machines that are set to autologin is a possibility.

0
0
Flame

With friends like that...

> 4) it only works for people on your friends list

I remember a classmate "friend" in the past sending me a trojan to steal my homework back in my college days...

0
0
Stop

Oh but but but

Macs are more secure and nothing bad can ever happen on a mac like EVER!!!! I promise no sarcasm was used in the crafting of this post!

17
7
Gold badge

App bug

It's funny because I remember everyone saying DEP would stop all these sorts of things.

Anyway how can a bug in an application be the fault of the OS? the OS has to give applications access to services and APIs or else the application would never be able to do anything.

If this bug says anything it is that Skype (like many others) can't code OSX apps for toffee.

5
2
Silver badge

Application fault

I agree that it is Skype's fault - such failures aren't the OS's responsibility.

However, I'd say that an OS that suffers because of an application failure of -any- sort is not very well designed or implemented. So OS X isn't entirely blameless, and neither is Windows, for similar cases.

Are there any robust OSs out there?

2
1

yes.. iRMX

even catastrophic hardware failures don't crash that thing.. Has a funny way of working. Kernel is sealed in the first page of the PC ( first 64K ) . All remaining memory is essentially a ramdrive.

A program is simply copied from disk and executed. Each program is allowed a scratchfile ( in the ramdrive ) the Os sets the max size of this ramdrive. Any variables used by the program reside in this scratchfile. If a program crashes it is simply reloaded into a different 'sector' and the link is restored to its scratchfile. This scratchfile also includes a stack , heap and all other constructs. Essentially this scratchfile acts as a VM.

I had an ion-implanter (made by Eaton) running on a 386 with a full windowed graphical user interface ( There is a graphical shell on top of iRMX ) Each button or menu is essentially a standalone program that interacts with others. All of a sudden the system console pops up : Memory error at address .. (i forgot the actual addres sbut it was in the high memory ). Reloading affected elements..

and a few seconds later the system was fully operational as if nothing happened.

The fault was a defective DIMM. iRMX had trapped an unstability , moved the corrupted programs to a different 'sector' and marked that portion of the 'ramdrive' as bad. After reloading fresh copies of the affected elemetns it simply pointed them back to their runtime file and they happily took of where the previous instance failed.

The machine kept on running for many more weeks until we shut it down for a scheduled maintenance at which point the faulty dimm was replaced.

As long as the first 64K of memory does not get corrupted by physical damage you cannot crash iRMX.

iRMX lives on as InTime, a concurrent RTOS that can coexist with other OS's and runs simultaneously on multicore processors. It is used for things such as medical equipment, machine control and other 'critical' applications. the critical portion runs on a dedicated core under iRMX. this communicates with a non critical host OS and lets the host do the visualisation and user interface. Even if the host Os fails the iRMX portion remains running and maintains integrity on the system to be controlled.

2
0
Bronze badge
Pint

Indeed...

The very fact that you wrote your pointless drivel in the tone of a 13 year old child, ( "like EVER!!!" ) speaks volumes to me. Now run along Sonny, the adults are having a grown-up discussion about computer security.

3
2
Anonymous Coward

@FordPrefect

And no originality was used either...

0
0
Jobs Horns

See?

It is not only Windows OSes with this type of issue. Become the number 1 in anything and you will be a target. Even the Apple blackbox has holes in it and more and more will be found.

YaY! As long as my Linux Mint is safe I don't care.

0
13

Semantics

"Bug", not "target". Someone found a bug. It's a potentially *nasty* bug, but it's not malware, it's not a virus.

4
1
won

well dammit

Presuming Skype isn't nice enough to maintain multiple versions of the software on Macs, all the folks (including myself) still on Skype 2.8.0.863 and below will now be "forced" to upgrade to an (ahem) "improved" interface 5+ version, or suffer the impunity of a known security hole staring right at them (gazing into the void, as it were).

Including of course those on PowerPC-based machines and/or using OS X versions earlier than Leopard 10.5.8 who can't use Skype 5+ anyway.

I must try to find other workaraounds! Never surrender, cold, dead hands etc.

0
0
Anonymous Coward

Versions

Skype hasn't said if the previous versions were susceptible or not to the vuln. Just because 5.x is, doesn't mean previous versions are.

0
0
Joke

Hmmmm

@FordPrefect and @Rombizio I think it's Skype that has issues, not the all mighty Mac, afterall... it's flwaless

5
2
Jobs Halo

flwaless

Lol - I'm in complete agreremnte (spelling will be fixed in next patch, and is harmless - don't worry, you'll always be safer than than Windoze).

1
1
Silver badge

Hmm

Do you have to have the "accept files automatically" option checked? (A stupid option, it should be got rid of.)

And do you have to have the 'Open "safe" files after downloading' option checked? (The same one which allows a denial of service attack in Safari and they Apple still haven't removed it from Safari.)

If the second option behaves in Skype as it does in Safari then it should run installer packages if you click on 'ok', and installer packages contain shell scripts.

If you run Skype in a limited user account (as I'm sure we all do), you're safe(r), right?

And probably even safer still if you don't set the options to accept and run any file that someone on the Internet sends you through IM. Bit stupid, that.

0
0
Anonymous Coward

Hmmm indeed

Unfortunately the bulk of the populace aren't sufficiently interested in computers/computing to realise what 'stupid' behaviour is. I'm tired of hearing OSX people telling me how unlikely it is that a user would allow permissions to do X Y or Z then seeing examples of it happening. No OS is impervious to the vulnerabilities introduced by third party software or the 'stupidty' of users who believe they are secure.

As has been said before, make something idiot proof and nature creates a better idiot.

5
2
Anonymous Coward

Secure

Every OS is 100% secure if you don't have it connected to a network of any kind, the USB ports and all external methods of storage are disabled, no keyboard, mouse or display is connected as well. The computer will never get a virus, malware, bot and will never have crashed.

0
0

Exactly !

All these problems are in 99.99% of the cases classic examples os PEBKAC : Problem Exisits Between Keyboard And Chair. The other remaining 0.1% are hardware faliures.

0
0
Happy

PEBKAC?

Or BCAM - Between Chair And Monitor;

Or my favourite:

PICNIC - Problem In Chair Not In Computer

0
0

Jumbo mumbo

I am certain they are retro-proactively moving against this threat delta to achieve ducks-in-a-row parity on their major talking points, while maintaining an aggressive anti-negativity posture informed by agile crowd-sourcing.

And it was good.

0
1
Stop

No, you misunderstand...

Serious analysis of Mac attacks has identified users as the primary vector. Therefore, Apple are working on a strategy which eliminates the end-user. Expect future Apple products to rely less upon the comprehension of the user. Eventually, Apple products will be entirely self-reliant, and will utilise their in-built Jobbsian decision-making software(TM) to decide who you need to talk to and when, and what you need to say.

Something like the flappers in Swift's Laputa.

3
1
Joke

Still

The reason no one should use the current version of skype is that some point between the versions they took the UI, put it in a blender- ate it - then vommited all over the desktop.

This vunerability is irrelevant because skype made their client impossible to use.

8
0
Flame

+1 on the interface

...I mean what were they thinking? were they even thinking?

That and the fact that on startup, I have 5 apps opening on login, yet skype is always the last to finish? I can even get iphoto to load before it, and that's really saying something.

Total POS. And now it's insecure too. Way to go Skype...

1
1
Gold badge

It will soon be an irrelevant problem.

If Farcebook buys them (as it rumoured) you will either have users who are be default exposed, or are not exposed at all because they have left in disgust. I hope to be in the latter category if I find a decent replacement with the same or better functionality...

0
0
Coat

Vomit?

I don't think the Skype UI designers vomitted all over the desktop, they let it pass normally through their digestive tracts and excreted it. Skype 5 for mac isn't a pavement pizza, it's a steaming pile of poo.

Fortunately there is a much better version available. For some reason the improved version has been called Skype 2.8 for mac instead of Skype 6 for mac. I never have understood the world of product marketing.

1
0
Silver badge

Mac only? Or BSD too?

Not that I use Skype, just curious. Come to think of it, does Skype even run on any of the BSDs? Somehow I can't be arsed to look.

0
1
Thumb Up

Yes

Yes it does. http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/skype/

0
0
Anonymous Coward

So what do we have here then?

So there's a remote code execution exploit that is of limited usability--a malicious attacker would first have to social engineer themselves into the address book OR somehow affect to remove the disallow instant messages from unknown sources restriction. Moreover, it yields shell access which isn't quite root shell access yet, on a plaform that typically doesn't even enable root access, has reasonable intrasystem firewalls and user separation, makes it easy to maintain that separation for the user, and actively warns the user not to be frivolous with admin and root rights.

Skype apparently had already noticed a crashbug that underlies this and fixed up a patch for that, but because they didn't want to scare their users and they didn't have reports of it being abused in the wild, they didn't make a lot of noise about it. Now you can quibble about that last bit (and I would, from a technical perspective), but from a business perspective it's defensible, and it allows them to say that they have released a patch that takes the sting out of this months ago, and another coming up next week.

Though it would be nice if older clients too got paches instead of forcing everybody to update to the very latest, that apparently has a wildly different interface. But the point is: As dealing with security issues goes, it's not bad a all; I'd say it's fairly well done.

1
2
Stop

Let's imagine...

...that I'm targeting a specific individual at an organisation. I do my research (LinkedIn, trade show, be imaginative). I manage to get myself on their contact list, perhaps using a spearphising attack with a simple AppleScript payload to add me to their list if I've not tricked the target into a personal relationship.

Now I initiate a conversation and exploit the vulnerability. I now have shell access. "But it's not a root shell" you say. No, but who cares! I have the victims data, private keys, whatever I want. I can drop a script in Startup Items to create a reverse SSH tunnel on a high port and I can get back in whenever I want.

As for Skype "not wanting to scare users" because they didn't have "reports of it being abused in the wild". Right. Would you even know if it had been used against you in this scenario? Would you necessarily want to report such a breach if news of it would impact on your share price? Skype's response may not be Adobe-lame, but it is lame.

I'm a Mac user. I also might be paranoid. But I cringe whenever I read comments like yours, or comments from Mactards/fanbois who exist on their little security islands.

1
1
Anonymous Coward

Cringe away then.

You know, you could set up a separate user account and run programs like skype under a different uid, mitigating the access to data. Private keys ought to be stored under password and that sort of thing. The point is, you can, and it's not all that difficult to use such capabilities if you care to.

If you don't care to, then that's exactly the risk you run with any and all program that "does things" with the network. Cost of doing business and all that. You're not going to change overnight that software will have holes in it, and sometimes blatant sloppy ones to boot.

Yes, this should change --that I've been advocating too, just not in this thread-- and we've known or could have known literally for decades: EWD remarked on it, for example.

In the meantime there's the occasional hole to be dealt with, and doing that properly isn't that easy; many, many get it horribly wrong. Down to actually suing the guy reporting vulnerabilities or neglecting to fix blatant security vulnerabilities for over a decade.

I'm fairly sure this particular bug will not have been used against me because I don't use skype and don't have it installed. How others would've known, I don't know, but I did mention that I'd quibble with skype's decision not to want to scare the users for technical reasons, and that's this, pretty much. But as a business decision, it's defensible simply because of how marketing works. "Come eat cold, dead fish!" and all that.

But I say again: They've acted on earlier reports and did create a patch even though they (even if hindsight says mistakenly) believed it wasn't too big a deal, and they've promptly acted on this report and promised a patch quick-like. Of what I've seen they did was by and large constructive. It doesn't really do to slag them for that. If you believe you know better, do tell.

Oh, and FWIW I don't count myself a fanboi; main box is FreeBSD, and my trade is system administration and software engineering both. Incidentally I have seen both sides of having to fix security scares like this. You apparently have not.

1
0
FAIL

Execution permissions

I've been trying to allow execution on specific folders - though at the moment it's been a bit of a fail. I'm now thinking to just deny all execution from any user folder which would solve this problem...

and not allow any user from writing to any directory outside the the user folder...

Normally needs a mac os x server but hopefully will be able to extract the changes to implement without an os x server.

I've always thought being able to just drag apps and run them from anywhere (any platform) can lead to bad things... execution should be locked down by default...

0
0
Anonymous Coward

You can do that.

The traditional unix way (recall darwin underneath all the proprietary gloss is plenty unix-y) is to separate the user directories out as a "mount", say as a separate disk or separate partition on disk. Then mount it noexec. It would likely be less work but more digging up of how exactly to do it with ACLs, but that also should be possible.

But skype was probably installed /by the admin/ and therefore /with admin rights/, and its binaries won't be in users' home directories. What typically happens in cases like this is that the program running in memory (which is no longer quite the same as what's on disk) gets clobbered and accidentally executes binary code that was deliberately and maliciously injected into memory, not necessarily onto disk. So noexec won't really help you here.

noexec isn't a bad idea for locking down corporate or kiosk type boxes, mind. But it won't protect against this sort of attack.

0
0
Anonymous Coward

What ?

Even if it has been installed by root it will execute with the user privileges.

As an example an editor, owned by root, might be set world executable but it wouldn't let me write a file to anywhere I wasn't allowed

0
0
Anonymous Coward

Yes. And that is also entirely besides the point.

I did not say that programs installed by root will execute with root privileges. If you think I said that, turn on your brain and read again. Now that you mention it, they might, but only if set by root to do so--that's what suid does, and that of course only should be turned on if strictly necessary. Anyhow.

I did say that you can prevent users from executing programs dropped into their home directory, as dino expressed he desired to do. I even mentioned how.

I also said that this "noexec" trick does not prevent remote execution exploits as described in the main article. Moreover, I briefly sketched why.

Any questions about the above?

0
0

Skype Privacy Settings don't work

"...this message would have to come from someone already in your Skype Contact List, as Skype's default privacy settings will not let you receive messages from people that you have not already authorized..."

...and this would be good, if it were true.

My Skype privacy settings are all set to "People in my contact list only" but every so often, I get an IM from someone not in my contact list (typically spam). When you check in Skype's forums, you will find that this is a known issue that has been around for some time and that Skype periodically claims to have fixed it.

0
0
Unhappy

"that masquerades as a legitimate antivirus program"

Would that be like McCrappee? Some sort of performance sucking bloated leechware that can turn the latest bit of kit into something slower than an Amstrad 386? As opposed to something well written and targeted that does the job with minimal overhead and doesn't decide that critical Windows DLLs are viruses every couple of months

Wonder why Intel wanted something that makes anything but the absolute latest hardware run like a PoS?

Oh, I get it...

0
0
Anonymous Coward

~acoward/test/a.out

>Completely by accident, my payload executed in my colleagues skype client.

This is a bug which allows execution of code by merely talking or writing about that code. This is known to work in English, but it has not yet been confirmed that it works in other languages.

0
0
Joke

Another vulnerability was detected

Security companies have just released a press statement that a massive security vulnerability - the "user" - has been detected on most systems. He-She will be removed at the next OS update...

2
0
Anonymous Coward

With friends like that...

... who needs enemies?

Seriously, if your using skype and are accepting any contact automatically and *then* accept files from them, I'm sorry, but your ... an ass.

This is a classic case of relying on the stupidity of users, which I guess is how most malware spreads these days.

1
0
Thumb Up

Skype will only install as root on Os X

That was a design flaw from the start (also applies to Silverlight). Therefore they grab root access and if compromised can get access to your whole system. #softwarefail

Like my Mac but hate some software that's written for it.

0
2
Joke

course his girlfriend wasn't happy

but maybe he just needed a rest from skype for a day or two.

JOKE ALERT: I cast no aspersions on the man's good lady girlfriend or if she is an excessive skyper.

0
0
Silver badge

Bah!

Oh Noes!

The resulting botnet will number in the dozens!

0
0

Europeans

Why can't we Europeans design a decent UI? Look at the rubbish Skype or Spotify, worst ever. We can design cars, furniture, cities, and landscapes, but a compter application - no. Why is this so difficult?

Oh yeah, the Skype vulnerability is also bad, just not as bad as UI.

1
0
FAIL

Shocking UI

I was going to say something similar but you got there first. It is one of the worst UIs I've ever seen (on Win and now Mac - the Linux version is so old it's actually still usable).

0
0
Joke

Ahhh

So that's why MS is buying Skype.

0
0
Joke

Bleeding heck

Microsoft don't half work quick when they want to.

0
0
This topic is closed for new posts.