Previous month:
April 2011
Next month:
June 2011

Posts from May 2011

Sorry, Skype, But Your Auto-Update Feature Is A Fail!

According to Skype's Security Blog post right now, I'm supposed to just do an "auto-update" that will give me the latest version 5.1.0.922 of the Skype for Mac client. When I check what version I have, it is 5.1.0.914:

Skype 1

So I go up to the Skype menu and choose "Check for Updates..."

Checkforupdates

And this is what I get...

Skype

So if, as Skype indicates, this security issue was fixed a month ago, how was I supposed to get it?

Sure... it now seems that I can go to the main page and download the software directly, but why would I ever think of doing that?

C'mon, Skype... if you are going to send out security updates as optional updates, please make sure your "Check for Updates" feature works!

P.S. When I first heard of the security issue, after checking the Skype blogs and Twitter streams, the first thing I did was to go into my Skype 5.1 client and do this "Check For Updates". The next thing I did was check the Skype for Mac Release Notes, which still do not list this update that was apparently fixed in April. After that I did some more poking around and then wrote the blog post...


If you found this post interesting or useful, please consider either:



UPDATED: Skype for Mac Has Dangerous Security Vulnerability... and There's No Public Word From Skype

UPDATE: Skype has now published a blog post indicating that a Skype 5.1 update is available for download. As I noted separately, the auto-update process is NOT working for me. It appears that I will need to download the new version directly from Skype's website.

Separately, Skype PR indicated to me that version 2.8 is not vulnerable - although I note that this information is not in Skype's security blog post. (Skype has now confirmed in a tweet that Skype 2.x is not vulnerable.)

It's great that Skype claims they fixed this in mid-April... but if they didn't tell anyone - including, apparently, the security researcher who reported the issue - what value is it that they fixed the issue?

I have a longer piece that I need to write on this... but I'll leave that for another post.

Meanwhile, we finally do have some information and a fix - many hours after it would have been helpful to have had it.

The original post remains below...


skypelogo-shadow.pngFrom the Can-We-Please-Communicate-Better Department... there is apparently an open vulnerability in the Skype for Mac client that lets an attacker send a message to a Skype user and gain remote access. As reported today by Gordon Maddern on the PureHacking blog:
The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.

Given that I basically live inside of Skype for Mac and use it extensively every day, this is obviously extremely concerning. Particularly because I do let anyone on Skype send me messages... and my Skype ID is easily found on my websites and many other locations (and since is rather obvious - "danyork"). I also tend to leave Skype running on a Mac in my home office that is online all the time. Mostly this provides a way to quickly catch up on chats as I have all the messages already there on that system (rather than waiting for Skype to sync up after it is launched).

Maddern indicates that he contacted Skype over a month ago about this and no fix has come out yet. In his post, he says:

Pure Hacking wont give specifics on how to perform this attack untill a patch from skype is released. However we will give a full disclosure after skype takes action or a resonable responsible disclosure time.

Which is great... except that now attackers will be out there trying to figure out what kind of "payload" he sent that created this condition. There is always the chance that someone may discover the attack.

Where is Skype's Statement?

ZDNet UK covered the story today and received this update from Skype:

Skype has just sent ZDNet UK a statement promising a fix next week. The statement reads: "We are aware of this and will release a fix early next week to resolve the issue. We take our users privacy very seriously and are working quickly to protect Skype users from this vulnerability."

What is concerning, though, is that there is no other public comment on this from Skype...

It's Friday afternoon here in the US... people are about to leave their offices and some % of those who use Macs may in fact leave their computers on and leave Skype running. Are those machines vulnerable? Can someone really just send someone a message and gain control of their Mac?

Which version of Skype for Mac is vulnerable? Is this only in the newer 5.x client? Or does this impact the older 2.8 client?

We need answers, Skype! I can understand that a fix may take some time, but in the meantime we need to understand what the risk is. Are there mitigating circumstances? Or actions we can take in the meantime?

How To (Maybe) Protect Yourself

So what are we to do until there is either a fix or a helpful statement?

1. QUIT OUT OF SKYPE - Obviously this is one option (and one I might pursue on that computer in my office). But that may not be practical for folks... and isn't for me in my work context.

2. CHANGE PRIVACY SETTINGS - It seems to be the biggest change we can make is to only allow chat messages from people in our contact list. This would mean that a random attacker out on the Internet couldn't just send you a message and take over your Mac. You will only get chat messages from your contacts, not random people.

In Skype 5.x for the Mac, you go to the Skype menu and then Preferences and then make sure that the settings are that only Contacts can contact you:

Skypeprivacy 1

On the Skype 2.8 for Mac client, the layout is a bit different but the choices are similar:

Privacy 1

Now, in these images I'm only suggesting you restrict chat messages. In the blog post about the attack, it is very clear that the attack vector is a chat message, so in theory you should only need to change the one privacy option for chat messages. Whether or not you also want to restrict calls to be from your contacts is up to you. Absent a clear statement about the vulnerability from Skype, we have very limited information to go on... but again the blog post was very clear that the attack was through a chat message with a particular payload.

Will that protect your system? I don't know... I'm guessing along with you all.

Now, depending upon how paranoid your mind operates, there is, of course, the case that an attacker could take over a Mac operated by one of your contacts, and then potentially use the Skype client on that machine to then contact you. Maybe that's possible, maybe that's not.

3. RUN AN OLDER SKYPE VERSION - Does this only affect the newer Skype 5.x for MacOS X? Could we be protected by reverting to the older 2.8 client? (which I'm still running on one of my systems)

I don't know... and I wouldn't use this as my only protection mechanism.

Give us a clue, Skype!

We don't know... and that's not a good space to be in.

What can you tell us who are Mac users, Skype?


UPDATE #1 - The Register also covered the story and pointed out that perhaps the attacking chat message could cause other chat messages to be sent out. Again... possible... but we just don't know.

Also, someone pointed out that Skype did have a "public statement", so my title is not accurate. Sure... they gave a statement to ZDNet UK and perhaps other media outlets... but where is that on Skype's public presence? Why not on one of their blogs or on Twitter?


If you found this post interesting or useful, please consider either:



Skype No Longer Doing The Samba - Drops Inbound Numbers In Brazil

skypelogo-shadow.pngInteresting development in the land of Skype... they are no longer offering inbound phone numbers in Brazil. Per a post on Skype's Portuguese blog, translated into English via Google Translate, the company providing phone numbers in Brazil, Transit Telecom, has notified Skype that it will no longer be supplying these phone numbers.

Skype's inbound numbers are now referred to as "Online Numbers" but were originally called "SkypeIn" numbers. For an annual fee of somewhere between $30 - 60 USD per year (depending upon discounts with subscriptions), you can have multiple inbound numbers attached to your Skype account from a range of countries:

Skypeonlinenumbers

In full disclosure, I've had a SkypeIn/OnlineNumber for years and it works extremely well.

The challenge for Skype, of course, is that they typically have to work with local carriers in the individual countries to obtain those inbound numbers (also referred to as "DIDs" in telecom)... and obviously is at the mercy of the local carrier to keep providing those numbers. Now who knows what happened in this case... perhaps Transit Telecom wanted to charge more than Skype wanted to pay... perhaps they had some other business challenge between the two companies.

Whatever the case, Brazil is no longer an option for an inbound number into your Skype account. Per Skype's note, existing Brazilian numbers will continue to work for the duration of your subscription but will not be able to be renewed. Unless, of course, Skype can find another service provider to provide them with Brazilian DIDs...


If you found this post interesting or useful, please consider either:



Making SIP Phone Calls Over IPv6 Using Linphone on MacOS X, Windows, Linux

Want a softphone that can make calls on IPv6 using the SIP protocol? I was... and kept striking out until I discovered that Linphone: a) ran on more than just Linux (it also supports MacOS X and Windows); and b) worked beautifully with IPv6. I wrote up my findings in this post and included some screenshots:
How To Make SIP Calls Over IPv6 Using Linphone (on Mac, Windows, Linux)

It's quite simple to use (assuming you have IPv6 connectivity) and worked very well in my testing. A big benefit to me was that Linphone lets you do direct computer-to-computer SIP calls, without requiring you to register with a SIP server or other IP-PBX. This gets around the need to have an IP-PBX that is IPv6-connected, which could be a different challenge.

Linphone

As I noted in the blog post, I am definitely interested in any info people have about other softphones that support IPv6. Jitsi (the renamed "SIP Communicator") indicates that it has IPv6 support, but it requires registration with a SIP server, and I don't have one of those running on IPv6. If you have info about other softphones (or other VoIP endpoints), please do leave comments either here or on the other blog post. Thanks!

P.S. And yes, I'll be talking about and demo'ing Linphone in my IPv6 and SIP webinar on Thursday, May 5th.

P.P.S. If you want to set up IPv6 on your home network, I've posted instructions with an Apple WiFi device (Time Capsule, Airport Express) and more generic instructions using Tunnelbroker.net.


If you found this post interesting or useful, please consider either:



Reminder: Free Training on IPv6 and Communications Apps (including SIP) on Thursday, May 5, 2011

voxeologohoriz.pngAs I mentioned last week, I'm speaking in a "Developer Jam Session" on this Thursday, May 5, 2011 on the topic of:
IPv6 and How It Impacts Communication Applications

I'll briefly cover IPv6 basics, talk about how it impacts building communication applications and the SIP protocol and then have some demonstrations of SIP-over-IPv6. You can learn more about the session and register on the Jam Session web page.

It's free to attend the session - and it will be archived for later viewing if you can't get there live during the session.

It should be an educational session and I expect I'll be writing a good bit more about IPv6 in the weeks and months ahead. (You can see some of my writing over on Voxeo's blog at http://blogs.voxeo.com/speakingofstandards/tag/IPv6/ and here on this blog at http://www.disruptivetelephony.com/ipv6/)


If you found this post interesting or useful, please consider either:



Mitel Reorganizes - President Leaves, Business Units Simplified, More Changes

mitellogo.jpgMitel today announced a series of organizational changes, including the departure of Paul Butcher, Mitel's President and Chief Operating Officer. The news release indicates they are merging together various sales organizations and simplifying the business units into three:
  • Mitel Communications Solutions: responsible for delivering unified communications and collaboration products and services to businesses.
  • Mitel NetSolutions: responsible for network and hosted services, mobile services, and broadband connectivity.
  • Mitel DataNet: responsible for the distribution of third-party products to partners and customers.

It also briefly mentions the departure of Paul Butcher as of Saturday. From a product point-of-view, there were two statements I found interesting:

  • "a re-direction of our R&D investment to products serving the high-growth market of 100 to 2,500 user organizations." Which makes sense, given that this area is one in which Mitel has traditionally done well.

  • "we intend to exploit our significant market leadership in voice virtualization." i.e. continuing their partnership with VMware. Again this also makes sense given that people are looking for solutions to deploy more applications with less hardware... and looking at virtualization as one of the potential solutions.

To me, all of this is naturally to be expected after Mitel appointed Richard McBee the new CEO back in January 2011. A new CEO comes in and he'll listen for a few months... and then start making changes. Obviously this is his reshaping the organization in the way he thinks it should go.

In that vein, the departure of Paul Butcher is not surprising. Paul had been in the CxO part of Mitel since 2001, coming in at the time when Terry Matthews bought the company back and launched it on its current course. Over that time he was quite involved in many aspects of the company and worked quite a bit with the now-retired CEO Don Smith. With a re-org of this magnitude and with a new CEO wanting to reshape the organization, it's not surprising that some of the previous leadership would leave. I wish Paul well with whatever comes next.

I wish Mitel well, too. I haven't been writing about Mitel all that much lately, but that's more because my own interests are no longer as much with the IP-PBX space that Mitel plays in. If you look at my recent writing, it's mostly been about SIP, Skype, mobile devices... with a handful of IPv6, Voxeo and other topics thrown in. I haven't been really writing about any of the IP-PBX and Unified Communications vendors for a while.

Regardless, I wish them well... though I only recognized a couple of the names in the news release and much has changed since I left Mitel back in 2007, I still have good friends working there and Mitel still has outstanding technology. Their challenge has always been around getting that story out to the larger world. Perhaps these changes will help. We'll see.


If you found this post interesting or useful, please consider either: