Skype can't fix a nasty security bug without a massive code rewrite

Microsoft won't plug a huge zero-day in Skype because it'd be too much work

Although the attack vector has been demonstrated using the Windows version of Skype, Kanthak said he believes that the same DLL hijacking method could also be applied to Skype versions for macOS and Linux as well.

A security bug has been uncovered in Skype via its update process which could allow hackers to gain access to a user's computer. However, Microsoft is reportedly not taking needed actions anytime soon. While we wait, the bug could be exploited to escalate "a local unprivileged user to the full "system" level rights - granting them access to every corner of the operating system".

Skype might be an unsuspecting app to target a user, because the app runs at the same level of privileges at the local, logged-in user, making it hard for attackers to do much with that low level of access. They've reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update.

However, this is not the first time such issue has been brought to light.

Kanthak told ZDNet Monday that Microsoft was informed of the bug back in September.

The notes reference a Windows-specific DLL injection vulnerability as the need for the code rewrite, which Microsoft apparently isn't prepared to do yet. In the same response, Microsoft promises to develop and ship a newer version of the client.

After conducting a series of tests, Kanthak discovered that the problem affects Skype's update installer.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library.

Well, as for our opinion we think with this revelation it is better to uninstall Skype for now until we get the newer version which is safe for the users.

Related:

Comments


Other news