Security Researchers Expose Skype Security Flaw Microsoft isn’t Fixing

Skype security bug

Microsoft-owned Skype has a big security flaw that could let an attacker gain control of Mac, Windows, and Linux computers. What’s worse is that Microsoft isn’t planning on fixing the flaw, at least for now, because it amounts to rewriting the entire app update installer.

Skype security bug
A big security flaw in Skype is going unpatched

The security flaw is in the app update installer, and if exploited, could let attackers gain administrator level access even if the victim is logged into their computer as a standard user. From there, they can copy and delete files, install other apps, access personal information, and more.

Microsoft was alerted to the flaw in September 2017, and was able to reproduce it on their own computers. From the Seclist notes by Stefan Kanthak:

The engineers provided me with an update on this case. They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update. The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated.

The notes reference a Windows-specific DLL injection vulnerability as the need for the code rewrite, which Microsoft apparently isn’t prepared to do yet. That means the auto-updater system in Skype is a security risk should anyone decide they want to exploit it, and it’ll stay that way until the rewritten version is released—and users install it.

4 thoughts on “Security Researchers Expose Skype Security Flaw Microsoft isn’t Fixing

  • Excellent point.

    That is a discussion that Apple senior management should be having, if they’ve not had it already; and with a very clear reason for not doing so, if that is the decision.

    I confess to lacking the technical expertise to know how portable the platform is, or what opening it up to the broader industry would mean for the security of Apple’s own platform, which should be the ultimate criterion for ‘go/ no go’ decision.

  • The notes reference a Windows-specific DLL injection vulnerability as the need for the code rewrite, which Microsoft apparently isn’t prepared to do yet. That means the auto-updater system in Skype is a security risk should anyone decide they want to exploit it, and it’ll stay that way until the rewritten version is released—and users install it.

    You got a problem with that?

    Besides, it only affects people using Windows. Or Macs. Or Linux. Everybody else is fine.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.