What's going on with Skype?
By Stephen WITHERS
The company did the right thing and reported it to Skype on April 7 without disclosing any information publicly. The response was that the Skype was already aware of the issue and that it would be addressed in the next hotfix. That turned out to be version 18.104.22.1682, which arrived on April 14.
But that version was initially only available if you downloaded the Skype installer. If you used the program's Check for Updates feature from the previous version, you were told it was up to date.
It wasn't until the arrival of 22.214.171.1245 on May 9 that an update appeared to existing users when they explicitly checked for updates, and a prompt to update started appearing about a day later.
Why didn't Skype take more vigorous action to get users to update the software? According to Skype's Adrian Asher, "As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week."
So it was just good luck that nobody who stumbled across (or deliberately unearthed) the vulnerability had malicious intent. I don't feel very reassured by that.
Sure, the default settings for Skype mean that you will only receive messages from existing contacts. If someone had developed a worm to exploit the vulnerability, anyone who had changed that setting would have been vulnerable, and then their Macs would have passed on the worm to their Mac-using contacts, and so on.
So will Microsoft's $US8.5 billion acquisition of Skype make any difference? It's not yet clear how closely Microsoft intends to integrate its soon to be new subsidiary. All we know is that Skype will become a division of Microsoft, Skype will Microsoft devices such as Xbox (and Kinect) and Windows Phone, and Microsoft will connect Skype with Lync, Outlook, Xbox Live and so on.
Even though that does suggest Skype will continue to operate as a relatively stand-alone division, it seems probable that updates will be released according to Microsoft's Patch Tuesday practice. That is, updates are held until the second Tuesday of the month and then released en masse. The only exceptions are for extremely critical security updates for serious issues that are being actively exploited.
Without intending to cast aspersions about Skype's current development practices, the introduction of Microsoft's Trustworthy Computing approach may improve the Skype software. Leaving aside the jibes, Microsoft products developed after the introduction of Trustworthy Computing do seem to exhibit fewer vulnerabilities than their predecessors, and those that do slip through are generally harder to exploit reliably.
But back to Skype for Mac: even 126.96.36.1995 isn't current! If you download the Skype installer, you'll get 188.8.131.527, but there's no mention (as of this writing) of what's changed on either the Skype security blog or the Skype Garage (Skype's old release notes link now redirects to the latter) of what's changed.
Does it really matter? Not in the great scheme of things. But if you don't know what's changed, how can you decide whether or not to update?
|Subscribe to Hydrapinion|