A Skype representative told Macworld that the bug affects version 5 of Skype for Mac, but not earlier versions. The vulnerability was discovered by Gordon Maddern of security research firm Pure Hacking.
“The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim’s Mac,” Maddern wrote in a blog post. “It is extremely wormable and dangerous.”
According to Skype, any attack that exploited it would involve sending a maliciously crafted message to someone on the attacker’s Skype Contact List. The flaw does not affect Windows or Linux users, Skype Chief Information Security Officer Adrian Asher wrote in a blog post on the issue.
Skype said it will push out an update to its Skype for Mac software early next week, which means that all Mac users should be offered the fix within days.
But security-conscious people can already download a “hotfix” version, 184.108.40.2062, that Skype released on April 14. However, to date, Skype hasn’t pushed out a notification of this patch out to its users. The company’s blog post said that because “there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update.”
Skype users who want the fix right now can click on Skype -> Check for Updates, or they can download the latest update from Skype’s website. All Skype 5 users for Mac will be prompted to upload a larger update that includes the fix early next week.
[Macworld staff contributed to this report.]