As the Leave Comment feature on Skype’s blog does not seem to work in Safari, I’ll leave some comment on this here. Some serious information is incorrect or missing from Skype’s security information for Skype for Mac 5.x (2.x is rerported not to be affected).
Skype released a very terse message on their Mac blot today pointing to an earlier post on their Security blog. The information in this post is either incorrect or there is another vulnerability out there that they haven’t informed their users about yet. The vulnerability described in the blog post explicitly states that a specially crafted, malicious “message would have to come from someone already in your Skype Contact List”. I have seen many crashes over the last few weeks with version 188.8.131.524, none of which caused by messages from people in my contact list, but by contact requests, which for obvious reasons can be sent by people not (yet) in ones contact list.
If these crashes are related to this vulnerability, it would contradict both Skype’s statement that the malicious message has to be sent by an approved contact and that the vulnerability is not exploited in the wild. Hopefully, Skype is right and they are unrelated, but to err on the safe side I would recommend anyone using Skype for Mac 5.x to not wait for Skype to release a new version next week, but to upgrade immediately to the latest release 184.108.40.2062 here. This version will not show up via the Check for Updates menu as Skype deemed the hotfix non-critical, exactly because it can only be caused by approved contacts and is not seen in the wild, so their users have to find out and install the update manually themselves.
Update: Skype has released Skype for Mac 220.127.116.115 which includes unspecified Security updates with no further explanation as they wish to “wait for the majority of our users to update before detailing / discussing any of the specific issues that have been fixed”.
Update 2:Legitimate contact requests also crash Skype.