« previous next »
Pages: [1]

Author Topic: A major bug is forcing Microsoft to rebuild Skype for Windows  (Read 141 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35210
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
A major bug is forcing Microsoft to rebuild Skype for Windows
« on: February 14, 2018, 02:11:11 PM »
Skype has fallen foul of a security flaw that can allow attackers to gain system-level privileges to vulnerable computers, Microsoft has confirmed. However, the company won't immediately fix the issue because doing so would require a complete code overhaul. The bug was discovered by security researcher Stefan Kanthak, who says the Skype update can be nefariously tweaked to trick an application into drawing incorrect code instead of the right library. This would let a hacker download malicious code and put it into a user-accessible temporary folder, renaming it to an existing DLL that could be modified by anyone without system privileges. According to Kanthak, once system access is granted, an attacker "can do anything". However, the hacker would require physical access to the computer to do this.

Kanthak told Microsoft about the vulnerability -- which could let hackers steal files, delete data or run ransomware -- back in September, and the company acknowledged a fix would require "a large code revision". Speaking to ZDNet, Kanthak said that even though Microsoft was able to reproduce the issue, a fix will only arrive "in a newer version of the product rather than a security update", the implication being that patching the issue would require too much work. Microsoft said it's put "all resources" into building a new client but has not revealed when that's likely to land. We've reached out to Microsoft for comment.

Update: A Microsoft spokesperson gave us the following statement. "We have a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our Update Tuesday schedule.​"

Quote
Skype desktop app comes with its own updater tool that periodically runs to keep the Skype app up to date. When an update is available, Updater tool copies/extracts another executable as “%SystemRoot%\Temp\SKY.tmp” and executes it using the command line
“%SystemRoot%\Temp\SKY.tmp” /QUIET. A security researcher has found that this executable is vulnerable to DLL hijacking.
source
« Last Edit: February 14, 2018, 02:15:02 PM by javajolt »
Logged

Pages: [1]
« previous next »