Skype on Monday began prompting users of the Mac version of its internet telephony software to install an update that kills a zero-day vulnerability.
Researcher Gordon Maddern at Pure Hacking, a white-hat firm based in Australia, said in a blog post Friday that he discovered the flaw last month by accident. The bug could have enabled an attacker to take control of a victim's computer simply by sending a malicious message.
"About a month ago I was chatting on Skype to a colleague about a payload for one of our clients," he wrote. "Completely by accident, my payload executed in my colleague's Skype client...The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim's Mac. It is extremely wormable and dangerous."
Maddern said he used the open-source Metasploit framework to craft a proof-of-concept, then notified Skype about the vulnerability. But it never was fixed.
As it turns out, the flaw actually was remediated April 14 when Skype issued a hotfix for version 220.127.116.112 for Mac, said Adrian Asher, chief security officer of Skype, in a Friday blog post. However, because there were no reports of active exploits, Skype did not prompt its users to install the update.
And Asher downplayed the risk of the bug anyway. He said because Skype is set up in a such a way that it does not permit users to receive messages from people with whom they have not approved, the worm would have had difficulty spreading.
Users are now being asked to manually install the update that began circulating Monday, 18.104.22.1685, Asher said. Clients for Windows and Linux are not affected by the vulnerability.