Skype security flaw 'ignored' by Microsoft could allow hackers to gain access to users' computers

A fix will instead land in a newer version of the product rather than a dedicated security update

A security bug has been uncovered in Skype via its update process which could allow hackers to gain access to a user's computer.

If exploited by an attacker, the flaw could give a local unprivileged user full access to the system level rights, a security expert over at Seclists.org has warned, giving access to every part of the operating system.

Advertisement - Article continues below

"Once installed, Skype uses its own proprietary update mechanism instead of Windows/Microsoft Update," said security researcher Stefan Kanthak. "[Because] Skype periodically runs '%ProgramFiles%\Skype\Updater\Updater.exe' under the SYSTEM account, when an update is available, [the] Updater.exe copies/extracts another executable as '%SystemRoot%\Temp\SKY

Kanthak explains that its this executable is vulnerable to DLL hijacking as it loads at least a DLL file called 'UXTheme.dll' from its application directory named '%SystemRoot%\Temp\' instead of from the Windows' system directory.

"An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in '%SystemRoot%\Temp\' gains escalation of privilege to the SYSTEM account," he added.

While Microsoft, who owns the video-calling service, has published plenty advice and guidance on how to avoid this error, Kanthak says the tech giant's own developers seem to be "ignoring it".

Advertisement
Advertisement - Article continues below

The security expert informed Microsoft of the bug in September, but according to the Seclists' reported timeline of the bug, a fix will instead land in a newer version of the product rather than a dedicated security update.

Advertisement - Article continues below

"The [Microsoft] engineers provided me with an update on this case," he said. "They've reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update.

"The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated," he added. "The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client."

With no further action made by Microsoft since, Kanthak published the report on Friday as a warning to Skype users.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
Visit/security/cyber-security/355200/spacex-bans-the-use-of-zoom
cyber security

Elon Musk's SpaceX bans Zoom over security fears

2 Apr 2020