Skype 0day vulnerabilitiy

About a month ago I was chatting on skype to a fellow Agent about a payload for [OMITTED]. Completely by accident, my payload executed in the other Agents client.

I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. So I decided to test another mac and sent the payload to [OMITTED]. She wasn’t too happy with me as it also left the her skype unusable for several days.

At this point I figured out what was needed to execute code. So I put together a proof of concept using metasploit and meterpreter as a payload. Low and behold I was able to remotely gain a shell.

That was over a month ago and there still has not been a fix released. The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.

Specifics on how to perform this attack are available to Senior Agents ONLY until a patch from skype is released.