A significant software re-write will be needed to fix a bug with Skype for Windows. Vulnerability in the application's update feature means a malicious actor can gain access to the computer's system account and grant themselves privileges to do whatever they like. The vulnerability is fixable but will require a significant rewrite with an indication that Microsoft will need to issue a new version of Skype rather than a patch.
The vulnerability was reported to Microsoft by security researcher Stefan Kanthak. He says the Skype updater is susceptible to DLL hijacking. In simple terms, if someone can place a malicious version of a DLL file that is used by the Skype updater's executable file, they can take full control of a system.
Placing a malicious DLL does not require any special account privileges.
Kanthak reported the flaw to Microsoft last September, who were able to reproduce the vulnerability. In their response to him, they said a new version of the Skype client, addressing this issue would be issued and that the current, vulnerable version would "slowly be deprecated".
The security report made by Kanthak throws some shade at Microsoft's engineers, noting that Microsoft issues advice to developers to avoid writing software that is vulnerable in this exact way - advice "which their own developers and their QA but seem to ignore!", he wrote.
In the mean time, if you're a Skype user, make sure your other security measures are in place. An attack via the Skype Updater will require a user to install some infected DLLs. That can happen via some other infiltration such as a phishing email. Keep your user education up to date, and ensure everyone is running appropriate and updated end-point software as that offers some defence.