May 7, 2011 07:00 GMT  ·  By

Skype announces that a patch for a vulnerability in its Mac client that could be used to remotely execute code has been available since April 14th, despite users not being automatically notified.

Gordon Maddern, a senior security consultant at Australian security vendor Pure Hacking, publicly reported the existence of the critical flaw yesterday.

Madern found the vulnerability by chance when he pasted a payload to a colleague on Skype as part of an unrelated discussion.

The colleague's Skype client crashed, prompting the researcher to dig deeper into the weird behavior. After additional testing he concluded that only the Mac client was vulnerable.

"So I put together a proof of concept using metasploit and meterpreter as a payload. Low and behold I was able to remotely gain a shell," the researcher notes.

Madern calls the vulnerability extremely wormable and dangerous and explains that an attacker can exploit it by simply sending a message to the victim.

The researcher decided to publicize the issue one month after notifying Skype because he didn't see a fix being released.

On the company's blog, Skype's Adrian Asher, claims that a hotfix (Skype for Mac version 5.1.0.922) has been available since April 14th, but that users haven't been automatically prompted to update.

"As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week," he explains.

Users interested in deploying the patch need to manually click on Skype and then Check for Updates inside the program.

Asher doesn't mention anything about remote code execution as a risk. He refers to the flaw's impact as a crash. This is not incorrect, as crashes can be exploitable, but it is somewhat misleading, as it suggests a simple denial of service condition.