A serious vulnerability has been discovered in Microsoft-owned most common free web messaging as well as voice calling service Skype of which could potentially allow attackers to gain full control of the host machine by granting system-level privileges to a local, unprivileged user.
The worst part is usually of which This specific vulnerability will not be patched by Microsoft anytime soon.
This specific’s not because the flaw is usually unpatchable, although because fixing the vulnerability requires a significant software rewrite, which indicates of which the company will need to issue an all-brand-new style of Skype rather than just a patch.
The vulnerability has been discovered as well as reported to Microsoft by security researcher Stefan Kanthak as well as resides in Skype’s update installer, which is usually susceptible to Dynamic Link Libraries (DLL) hijacking.
According to the researcher, a potential attacker could exploit the “functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first inside the same directory in which the process binary resides as well as then in additional directories.”
The exploitation of This specific preferential search order would likely allow the attacker to hijack the update process by downloading as well as placing a malicious style of a DLL file into a temporary folder of a Windows PC as well as renaming This specific to match a legitimate DLL of which can be modified by an unprivileged user without having any special account privileges.
When Skype’s update installer tries to find the relevant DLL file, This specific will find the malicious DLL first, as well as thereby will install the malicious code.
Although Kanthak demonstrated the attack using the Windows style of Skype, he believes the same DLL hijacking method could also work against additional operating systems, including Skype versions for macOS as well as Linux.
Kanthak informed Microsoft of the Skype vulnerability back in September, although the company told him of which the patch would likely require the Skype update installer go through “a large code revision,” Kanthak told ZDNet.
So rather than releasing a security update, Microsoft decided to build an altogether brand-new style of the Skype client of which would likely address the vulnerability.
This specific should be noted of which This specific vulnerability only affects the Skype for the desktop app, which uses its update installer which is usually vulnerable to the DLL hijacking technique. The Universal Windows Platform (UWP) app style available by the Microsoft Store for Windows 10 PCs is usually not affected.
The vulnerability has been rated as “medium” in severity, although Kanthak said, “the attack could be easily weaponized.” He gave two examples, which have not been released yet.
Until the company issues an all-brand-new style of Skype client, users are advised to exercise caution as well as avoid clicking on attachments provided in an email. Also, make sure you run appropriate as well as updated anti-virus software of which offers some defence against such attacks.
This specific is usually not the very first time Skype has been dealing having a severe security flaw. In June 2017, a critical flaw in Skype was revealed before Microsoft released a fix for the issue of which allowed hackers to crash systems as well as execute malicious code in them.
Last month, among several messaging applications, Skype was also dealing having a critical remote code execution vulnerability in Electron—a common web application framework widely-used in desktop applications.