Microsoft-owned Skype has a big security flaw that could let an attacker gain control of Mac, Windows, and Linux computers. What’s worse is that Microsoft isn’t planning on fixing the flaw, at least for now, because it amounts to rewriting the entire app update installer.
The security flaw is in the app update installer, and if exploited, could let attackers gain administrator level access even if the victim is logged into their computer as a standard user. From there, they can copy and delete files, install other apps, access personal information, and more.
Microsoft was alerted to the flaw in September 2017, and was able to reproduce it on their own computers. From the Seclist notes by Stefan Kanthak:
The engineers provided me with an update on this case. They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update. The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated.
The notes reference a Windows-specific DLL injection vulnerability as the need for the code rewrite, which Microsoft apparently isn’t prepared to do yet. That means the auto-updater system in Skype is a security risk should anyone decide they want to exploit it, and it’ll stay that way until the rewritten version is released—and users install it.