Published in News

Skype bug can't be fixed without a major rewrite

by on13 February 2018

Gives an attacker system level privileges

Skype has a significant security flaw that Microsoft can't fix without a major code rewrite.

The flaw is in Skype's updater process and can allow an attacker to gain system-level privileges to a vulnerable computer. If exploited, it can escalate a local unprivileged user to the full "system" level rights - granting access to every corner of the operating system.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs.

Once installed, Skype uses its built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking.

Kanthak told ZDNet that the attack could be easily weaponised and showed two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

"Windows provides multiple ways to do it", he said. But DLL hijacking isn't limited to Windows; he said - noting that it can apply to Macs and Linux, too.

Once "system" privileges are gained, an attacker "can do anything", Kanthak said.

Kanthak informed Microsoft of the bug in September, but the software giant said issuing a fix would require the updater go through "a large code revision".

The company told him that even though engineers could reproduce the issue," a fix will land "in a newer version of the product rather than a security update".

Microsoft said that it was better to put "all resources" on building a new client.

To cause any damage of worth, you need to be an administrator or above - like the "system" user.


Last modified on 13 February 2018
Rate this item
(0 votes)

Read more about: