We don't know what those "security issues" are?
We don't know, for instance:
- Are they related to the remote exploit that was publicly disclosed on Friday? Or to related attacks on the same theme? (as discussed on SecNiche today)
- What is the severity of these "security issues"? Remote compromise? Denial of service? What?
- What is the priority that we should place on getting this update in place? Is it a "UPDATE NOW!" kind of priority? or a "Update when you can"?
- What kind of mitigating circumstances are there for these security fixes?
- Are there any workarounds that could be put in place at a network layer (or any other layer) to prevent attacks on individual systems? (i.e. as a safety measure until the individual clients are all updated?)
We need to know this kind of information.
Particularly as Skype looks to try to move more into the "business" or "enterprise" market space, this level of NON-disclosure is unacceptable.
In comparison, take a look at any of the recent Microsoft security bulletins, like, oh, this one, and you can see the kind of information that a security professional is looking for. Now, sure, Skype doesn't necessarily need to go to the level of detail that Microsoft has... but something more than just "Security issues" is necessary.
Letting Us Know?
Additionally, why again is Skype issuing a "hotfix for security issues" without telling anyone about it? Just like they did back in April?
Once again the hotfix is mentioned only on Skype's Garage blog. Nothing on Twitter on either @skype or @skypesecurity. Nothing on the Mac blog (although they finally updated that blog about the issue on Friday). Nothing on the Security blog.
And once again, the "Check for Updates..." feature in Skype 5.1 does not show a new update available:
So apparently the only way we can get this hotfix for unknown "security issues" is to go to Skype's main download site and download it!
C'mon Skype! You can do better than this!
Recommendations for Skype
So rather than just rant, let me offer these suggestions to Skype for what they should do when they have a "security hotfix":
1. Provide More Info - Saying it is simply "security issues" doesn't cut it. We need to know things like:
- what is the severity of the security issue? if an attacker could compromise the Skype client, what could he or she do?
- how easy is it for an attacker to execute an attack? can the attacker be remote? do they have to be a contact?
- are there mitigating circumstances that would make an attack less likely?
- are there workarounds that could be put in place at a larger level than just the client?
- what is the potential exposure of NOT upgrading?
Skype should look seriously at tools like the Common Vulnerability Scoring System (CVSS) used by many software/hardware providers (see also the CVSS FAQ). And while perhaps the full CVSS process may be too heavy for a smaller organization like Skype, the document at least gives insight into the type of questions security professionals want.
Similarly, the Cisco Security Vulnerability Policy and associated links is worth a read. Again, it may be too heavy a system for a smaller company like Skype... but then again perhaps in all of the new hires Skype is looking to do they could hire some folks specifically to work on this process.
2. Let People Know About The Security Hotfix - Skype has a "security" blog and specific @skypesecurity Twitter account. They should be used to communicate the availability of security hotfixes. Security professionals associated with companies using Skype could then know that they need to subscribe/follow those sites to know when there are new issues needing attention.
3. Make The Security Hotfix EASY To Obtain - Make the "Check for Updates..." process work from the beginning. The blog post or other update should be able to state that Skype users can simply go up to "Check for Update..." to download/install the new version. Perhaps this means that the blog post has to be delayed until the new version is uploaded to whatever update servers Skype has... but so what? Wait a bit - or improve the internal process so that these uploads happen faster. The end result will be that MORE people will update sooner, which, I would think, should be the goal.
Those three steps would help people feel a whole lot better about Skype's concern for security - and would also make sure that Skype users are better protected. It would also help Skype's reputation, brand, etc.
And it would stop people like me from writing blog posts like this. ;-)
Seriously, Skype... security matters... and even more, communication about security matters. We all know that with any system there are security issues... no system is perfect and attackers will always try to compromise systems. We get that. It is how you react and communicate about those security issues that is so incredibly critical.