Mitigate Skype bug reported by Purehacking.com which only affects MacOSX. We do not have confirmation of the vulnerability in Skype, the version number or system details related to the reports. The post on the site has a spelling error resulting in us proceeding with caution but think the report may be credible since it has been reported elsewhere including Sans ISC.

This makes this the perfect opportunity to review several ways to use Skype in a safe manner, the most important being to "Quit" the application when done. These steps we think can mitigate the vulnerability in Skype reported.

Currently at this time we are recommending the following settings in Skype.

• Make sure that you are running the most up to date client, 5.1.0.922
• If not you need to goto Skype.com and manually install it now, Check for updates will not install it.
• Make sure when using SKYPE you are not Administrator for that system.
• Do not install Skype on any servers.
• Quit Skype when you are done, do not leave it open. 

• Under Skype>Preferences>General disable "Automatically Accept incoming files."
• Under Skype>Preferences>General disable "Open safe files after receiving."
• Under Skype>Preferences>General set "Downloads" as the file folder.
• Under Skype>Preferences>General disable "Show Address Book Contacts."

• Under Skype>Preferences>Privacy set  "Show picture", "Allow calls from", "Receive Calls to my online number from" and "Allow messages from" all to Contacts.
• Under Skype>Preferences>Privacy set "Allow video screen sharing from" to "Nobody.
• Under Skype>Preferences>Privacy disable "Show my status on the web."

• Under Skype>Preferences>Calls  set "Incoming Calls" to "Do Nothing"
• Under Skype>Preferences>Calls disable "Start video automatically at the beginning of a call."

• Under Skype>Preferences>Advanced disable "Use Skype Access to connect to Wi-Fi hotspots."

Based on reporting we think that these steps will allow you to mitigate the issue reported. Dependent on how you use Skype you may alter the configuration but this will change the Risk profile. We do not consider Skype a secure form of communication but a useful tool.

Update on Friday, May 6, 2011 at 10:58PM by Sean OConnell Public

Skype did released an hot fix, version 10.1.0.922, on April 14th. You need to install it by downloading it directly from Skype.com.  More information posted on the Skype Blog. 

Update on Tuesday, May 10, 2011 at 08:36AM by Sean OConnell Public

Update 5.1.0.922 released to stable channel for update delivery. 

Update on Thursday, May 12, 2011 at 07:09PM by Sean OConnell Public

Skype has released version 5.1.0.935 to the stable channel. The update can be applied using "Check for Updates" in Skype.

Disable Java if you do not need it. We are aware of various crimeware kits and tools being used targeting Windows infrastructure via Java. We have not detected any kits specific to MacOSX but Java is a cross platform environment which can allow criminals to take advantage of systems regardless of operating system.

In the October 2010 the OSX/Koobface.A / trojan.osx.boonana.a directed users to sites which downloaded mixed code. Flash, Java and PDF vulnerabilities will be the most economical way to deliver working exploits to MacOSX systems. It is our thinking that in the case of JAVA, due to the cross OS nature and Apple's custom update cycle, it would be the attack vector platform of choice.

We recommend the following:

• If you do not need or use Java than disable it.

1. In Safari goto Safari>Preferences>Security and disable Java.
2. In Chrome visit Chrome://plugins and disable Java.
3. In Firefox Tools>Add-ons and disable Firefox.

If you need to use Java we recommend the review the following settings in Java Preferences.app: 

• In /Applications/Utilities/Java Preferences.app disable "Allow User to grant permissions to content from an untrusted authority."
• In /Applications/Utilities/Java Preferences.app disable "Use certificates and keys in browser keystore"
• In /Applications/Utilities/Java Preferences.app disable "Use personal certificate automatically if only one matches server request."
• In /Applications/Utilities/Java Preferences.app enable "Enable blacklist revocation check."
• In /Applications/Utilities/Java Preferences.app enable "Check certificates for revocation using CRL"
• In /Applications/Utilities/Java Preferences.app enable "Enable online certificate validation"
• Review Trusted Publishers in Security pane.

Consider each option based on your specific business needs. For example, if you are developing jar/applets internally consider reviewing of the signing process to insure that all internal app/jar used for production systems and properly signed by your organization.