Skype Security Is Borked And Hard To Fix

Image: Anthony Caruana

A significant software re-write will be needed to fix a bug with Skype for Windows. Vulnerability in the application's update feature means a malicious actor can gain access to the computer's system account and grant themselves privileges to do whatever they like. The vulnerability is fixable but will require a significant rewrite with an indication that Microsoft will need to issue a new version of Skype rather than a patch.

The vulnerability was reported to Microsoft by security researcher Stefan Kanthak. He says the Skype updater is susceptible to DLL hijacking. In simple terms, if someone can place a malicious version of a DLL file that is used by the Skype updater's executable file, they can take full control of a system.

Placing a malicious DLL does not require any special account privileges.

Kanthak reported the flaw to Microsoft last September, who were able to reproduce the vulnerability. In their response to him, they said a new version of the Skype client, addressing this issue would be issued and that the current, vulnerable version would "slowly be deprecated".

The security report made by Kanthak throws some shade at Microsoft's engineers, noting that Microsoft issues advice to developers to avoid writing software that is vulnerable in this exact way - advice "which their own developers and their QA but seem to ignore!", he wrote.

In the mean time, if you're a Skype user, make sure your other security measures are in place. An attack via the Skype Updater will require a user to install some infected DLLs. That can happen via some other infiltration such as a phishing email. Keep your user education up to date, and ensure everyone is running appropriate and updated end-point software as that offers some defence.


Comments

    That reads as:
    Breaking News: if your system gets compromised, it can compromise your system !!!

    I gave up on Skype years ago and have no intention to use it anytime soon.

    The UI and video calling just degraded over time, so did it user base around my inner circle of family and friends.

    WhatsApp has pretty much filed the void.
    Granted, it's too had its share of security issues, but they seem to address them quick smart and have taken a leaf from Signal's messaging platform which is a good thing.

    So to put a custom DLL in the program would require write access to the disk, if you have write access all bets are off as you might just insert your DLL into the list of programs that need starting up with the computer. This 'exploit' isn't really an exploit, the program just blindly loads its update plugin, it doesn't check to see what that program is or does it just runs it. You can't use skype to hack somebodys computer, there is no method for remote scripting.
    Why have the security community acknowledged this as needing fixing in the first place.
    Next it will become standard practace to scan any plugins for api links to the delete command before allowing their inclusing in some software package.

Join the discussion!