Last month, we were contacted by Pure Hacking, a group of ethical hackers in Australia, who reported what they believed to be a zero-day vulnerability in Skype for Mac 5.x. This vulnerability, which they blogged about earlier today, is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype’s default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact.
At the time they alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability, as we take our users’ security very seriously. We subsequently released a hotfix for this problem in a minor update (Skype for Mac version 220.127.116.112) on April 14th. As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week.
This new update will include some additional updates and bug fixes. When it is released, we will notify all Skype for Mac users of the need to update their software (the client will prompt the user to update). In the meantime, we recommend you update your software with the fix made available on April 14th, just click on Skype -> Check for Updates or you can download the software here.
Please note, Skype’s other clients, e.g. Windows and Linux, are not susceptible to this vulnerability.