Security & Privacy

Skype Zero-Day Vulnerability: They Knew About It, Issued Fix, Didn’t Tell Anyone

Posted on May 7th, 2011 by

Security researchers Pure Hacking recently announced that they discovered a zero-day vulnerability in Skype 5 for Mac. This vulnerability could allow a malicious user to send a specially crafted message to another Skype user, and then execute code an the latter Mac.

All well and good.

Skype responded to them that this would soon be fixed, but now it turns out that Skype fixed this issue on April 14, yet didn’t release the update. They say that a fix will be available next week in another update, but if they already have an internal build fixing the problem – one they made three weeks ago – why didn’t they tell anyone? They say, “As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update,” but when vulnerabilities are exploited in the wild, it’s better that software be updated before then than to try and get users to update after.

This is an irresponsible action on Skype’s part. Every company has a responsibility to users to issue security updates as soon as possible, and not sit on them just because the vulnerabilities are not yet exploited in the wild. Skype cannot be sure this vulnerability has not been exploited anyway; unless they’re monitoring every user’s activity, which we hope is not the case.