Skype security flaw 'ignored' by Microsoft could allow hackers to gain access to users' computers

A fix will instead land in a newer version of the product rather than a dedicated security update

A security bug has been uncovered in Skype via its update process which could allow hackers to gain access to a user's computer.

If exploited by an attacker, the flaw could give a local unprivileged user full access to the system level rights, a security expert over at Seclists.org has warned, giving access to every part of the operating system.

"Once installed, Skype uses its own proprietary update mechanism instead of Windows/Microsoft Update," said security researcher Stefan Kanthak. "[Because] Skype periodically runs '%ProgramFiles%\Skype\Updater\Updater.exe' under the SYSTEM account, when an update is available, [the] Updater.exe copies/extracts another executable as '%SystemRoot%\Temp\SKY

Kanthak explains that its this executable is vulnerable to DLL hijacking as it loads at least a DLL file called 'UXTheme.dll' from its application directory named '%SystemRoot%\Temp\' instead of from the Windows' system directory.

"An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in '%SystemRoot%\Temp\' gains escalation of privilege to the SYSTEM account," he added.

While Microsoft, who owns the video-calling service, has published plenty advice and guidance on how to avoid this error, Kanthak says the tech giant's own developers seem to be "ignoring it".

The security expert informed Microsoft of the bug in September, but according to the Seclists' reported timeline of the bug, a fix will instead land in a newer version of the product rather than a dedicated security update.

"The [Microsoft] engineers provided me with an update on this case," he said. "They've reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update.

"The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated," he added. "The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client."

With no further action made by Microsoft since, Kanthak published the report on Friday as a warning to Skype users.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021