Microsoft Delays Fix for Critical Skype Vulnerability

Serious Vulnerability Discovered in Skype, Leaving Users at Risk

A significant security vulnerability has been identified in Skype, the popular messaging and voice calling service owned by Microsoft. This flaw could enable attackers to gain complete control over a user’s computer by granting system-level privileges to an unprivileged local user. Disturbingly, Microsoft has indicated that the fix for this serious issue will not be forthcoming in the near future.

The root cause of this vulnerability lies in Skype’s update installer, which is susceptible to Dynamic Link Library (DLL) hijacking. Security researcher Stefan Kanthak, who reported this vulnerability to Microsoft, noted that the flaw could be exploited through the normal functionality of the Windows DLL loader. This mechanism searches for the required DLL in the same directory as the process binary before looking in other directories. If an attacker places a malicious DLL file in an accessible temporary folder and renames it to match a legitimate file, the Skype update installer would unwittingly install the harmful version.

While Kanthak demonstrated this attack using the Windows version of Skype, he suspects that the same DLL hijacking technique could also be applicable to Skype’s macOS and Linux versions. Although Microsoft acknowledged the issue, they communicated that a simple patch would not suffice, and that rectifying the vulnerability would necessitate a considerable rewrite of the software, leading to plans for an entirely new version of the Skype client.

It is important to note that the threat primarily affects the desktop application of Skype, as the Universal Windows Platform (UWP) version, available via the Microsoft Store for Windows 10, does not share the same vulnerability. The severity of this issue is rated as “medium,” yet Kanthak warned that the potential for weaponization is significant and provided two hypothetical scenarios that remain unpublished.

Until Microsoft launches a revised version of Skype, users are advised to exercise heightened caution. Specifically, they should refrain from clicking on email attachments from unknown sources and ensure that they have up-to-date antivirus software as a preventive measure against such attacks.

This is not the first instance of Skype grappling with major security vulnerabilities. In June 2017, a critical flaw allowed hackers to crash systems and execute malicious code. More recently, Skype was implicated in vulnerabilities related to remote code execution in the Electron framework, which is widely utilized in various desktop applications.

Business owners, particularly those with significant reliance on communication platforms like Skype, should remain vigilant in light of this dangerous vulnerability. By understanding the potential tactics and techniques outlined in the MITRE ATT&CK framework—which include initial access through exploitation of trusted relationships and privilege escalation—organizations can better prepare to mitigate risks associated with such security flaws.

Source link