Skype: old vulnerability, new exploit – in the wild
Mac users, and I’m one of them, are in for a serious fall sooner or later. We live in this I’m alright, Jack world; I’ve got a Mac – security is for Windows. We know this is wrong. We know the attacks are coming… But we won’t care till they get us.
Yesterday M86 issued a warning about an exploit they found in the wild attacking Skype. Here’s a clue. Bad guys follow the numbers. Skype has huge numbers (more than 20 million online when I checked just now). That is a huge target to attack. There are more Windows users than Mac users; therefore there are more Windows attackers than Mac attackers. But Mac market share is growing; so the Mac attackers are coming.
But back to the M86 story. Back in October Skype issued an update (version 220.127.116.11) to counter an undisclosed vulnerability. M86 believes that the exploit it has discovered relates to this vulnerability.
As illustrated in Figure 1, the malicious code exploits a Skype ActiveX vulnerability using primitive obfuscation techniques in order to bypass Antivirus security solutions. We can confirm this exploit code works successfully against vulnerable Skype installations. Testing this exploit page with VirusTotal, illustrates the dismal results achieved in Figure 2.
Yes, that’s just one out of 42 AV packages that detected the exploit. But this is not a criticism of the AV companies. They will rapidly build detection into their systems – so make sure you update your AV regularly. But of course you won’t have a problem if you’ve already updated to the latest Skype version.
However, the core issue here is not the antivirus solution’s ability to mitigate this threat, but the fact that the update process remains problematic for many companies. Many users continue to run outdated applications for months, even years, and these old versions continue to be exploited by cybercriminals. Even with the disclosure and security fixes provided by application developers, cybercriminals know that most users rarely update, making it not only easy but beneficial to monitor sites that post disclosures and proof of concept code.
M86 adds one extra piece of advice: “Ask yourself: Do you know what version of Skype you’re running?” Err, no, I didn’t – so I checked. I’m running 18.104.22.1681 – a bit less than the recommended version 22.214.171.124 or newer. I panicked. Surely I hadn’t failed to update for so long?!?
Ed Rowley of M86 came to my rescue. “I guess you’re on a Mac😉 ! The current version for that is 126.96.36.1991. The vulnerability does not apply in a non-Windows environment.” And that’s why we Mac users are so smug now; and why we will fall from a greater height when the bad guys come and get us.
A final word from Ed:
“Our Labs have seen this exploit ‘in-the-wild’ for the first time this week. The vulnerability has been known about and acknowledged for over six months, but this is the first time we’ve encountered an exploit targeting it. Rather than considering it in its own right, we are looking at it as an example of a company alerting people to the existence of an exploit and producing a patch for it, but criminals relying on users not updating. The effects of this human habit of putting off updates can be applied to all software, including operating system and browser vulnerabilities, showing that the window of vulnerability is rarely closed for very long and, if you’ll pardon the extended metaphor, users keep opening it wider by failing to apply updates in a timely fashion.”
So here’s the lesson: whatever software you use on whatever platform, make sure you update, upgrade or patch in a timely fashion; and update your AV daily. This will minimize the period during which the vulnerability can be classed as ‘zero-day’; and is the best defence you can have. Oh, and switch to Mac.