Published: Thu, February 15, 2018
Science | By Hubert Green

Major Bug forces Microsoft to Rebuild Skype

Major Bug forces Microsoft to Rebuild Skype

As the report explains, the security flaw is related to the app update installer, and if exploited can allow malicious users gain the administrator-level access to affected systems. To make the issue even worse, Microsoft knows the flaw is there and exploitable, but has no plans for an immediate fix because it would require too much work. In simple terms, if someone can place a malicious version of a DLL file that is used by the Skype updater's executable file, they can take full control of a system.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library.

Once installed, Skype uses its own built-in updater to keep the software up to date. Hackers can exploit it using a common but potentially unsafe DLL hijacking method.

"Windows provides multiple ways to do it", he said. The problem could lead to systems being compromised on the Mac, Windows, and Linux platforms.

While Microsoft, who owns the video-calling service, has published plenty advice and guidance on how to avoid this error, Kanthak says the tech giant's own developers seem to be "ignoring it".

If there's a reason why you've never made anyone a SYSTEM user, it's because you can't, you shouldn't, and heaven help you if you do. This basically means, for now the Skype vulnerability stays untreated.

Kantak told Microsoft about the vulnerability in September previous year, but the company said that the release of the hotfix will require a "revision of a considerable part of the code", so the vulnerability will be fixed in the new version of the client.

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755-8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Like this: