Wednesday, 20 February, 2019

Skype security flaw 'ignored' by Microsoft could let hackers into your computer

Microsoft Skype Messenger Skype security flaw 'ignored' by Microsoft could let hackers into your computer
Sherri Watson | 16 February, 2018, 02:38

To be clear, this security flaw only affects the Skype for desktop app (not the Skype UWP app on Windows 10 PCs), which uses its own its own update installer that is vulnerable to this DLL hijacking technique. To make the issue even worse, Microsoft knows the flaw is there and exploitable, but has no plans for an immediate fix because it would require too much work.

Recently, a security researcher Stefan Kanthak has discovered a bug which may cause a Skype update into loading malicious code instead of the right library. The bug works because the malicious DLL is found first when the app searches for the DLL it needs.

Once that code was installed, Skype would use the integrated updater to keep the software up to date, and when that updater runs it accesses another executable file that runs the update which is vulnerable to hijacking. Also gone is the ability to program your own add-ins and apply them to Skype to enhance recording and a variety of other features which made the product useful. Once system access is granted, it "can do anything" he says. The problem could lead to systems being compromised on the Mac, Windows, and Linux platforms. But it told the researcher that the fix would need "a large code revision" and will be released with a newer version of Skype instead of through a security update. However, Microsoft mentioned that all the resources have been put toward development of the new client. This can be stored in your temporary files in the system that you are logged into.

Skype might be an unsuspecting app to target a user, because the app runs at the same level of privileges at the local, logged-in user, making it hard for attackers to do much with that low level of access.

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755-8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.