Security Researchers Expose Skype Security Flaw Microsoft isn’t Fixing

1 minute read
| News

Microsoft-owned Skype has a big security flaw that could let an attacker gain control of Mac, Windows, and Linux computers. What’s worse is that Microsoft isn’t planning on fixing the flaw, at least for now, because it amounts to rewriting the entire app update installer.

Skype security bug

A big security flaw in Skype is going unpatched

The security flaw is in the app update installer, and if exploited, could let attackers gain administrator level access even if the victim is logged into their computer as a standard user. From there, they can copy and delete files, install other apps, access personal information, and more.

Microsoft was alerted to the flaw in September 2017, and was able to reproduce it on their own computers. From the Seclist notes by Stefan Kanthak:

The engineers provided me with an update on this case. They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update. The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated.

The notes reference a Windows-specific DLL injection vulnerability as the need for the code rewrite, which Microsoft apparently isn’t prepared to do yet. That means the auto-updater system in Skype is a security risk should anyone decide they want to exploit it, and it’ll stay that way until the rewritten version is released—and users install it.

4
Leave a Reply

Please Login to comment
3 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
wab95geoduck Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
wab95
Member
wab95

Excellent point.

That is a discussion that Apple senior management should be having, if they’ve not had it already; and with a very clear reason for not doing so, if that is the decision.

I confess to lacking the technical expertise to know how portable the platform is, or what opening it up to the broader industry would mean for the security of Apple’s own platform, which should be the ultimate criterion for ‘go/ no go’ decision.

geoduck
Member
geoduck

This is a big opening. Apple should have opened FaceTime up to other platforms ages ago.

wab95
Member
wab95

The notes reference a Windows-specific DLL injection vulnerability as the need for the code rewrite, which Microsoft apparently isn’t prepared to do yet. That means the auto-updater system in Skype is a security risk should anyone decide they want to exploit it, and it’ll stay that way until the rewritten version is released—and users install it.

You got a problem with that?

Besides, it only affects people using Windows. Or Macs. Or Linux. Everybody else is fine.

geoduck
Member
geoduck

LOL