A Microsoft Skype Vulnerability was discovered in popular free internet messaging and voice calling service Skype which may allow attackers to gain complete control of the server system by devoting system level privileges to a local, unprivileged user.
The worst part is that this vulnerability will not be patched by Microsoft anytime soon. It is not since the flaw is unpatchable, however, because fixing the vulnerability requires a software rewrite, which suggests that the corporation is going to necessity issue a brand new version of Skype as opposed to simply a patch.
The vulnerability has been detected and reported to Microsoft by security researcher Stefan Kanthak and resides in Skype update installer, which can be vulnerable to Dynamic Link Libraries hijacking.
In accordance with the researcher, a possible attacker may exploit the performance of the Windows Dynamic-link library loader where the process loading the Dynamic-link library searches to the Dynamic-link library to be charged first in the same directory wherein process binary resides and after that in other directories.
The manipulation of the preferential search order would permit the attacker to hijack the upgrade process by downloading and placing a malicious version of a Dynamic-link library file in a temporary folder using a Windows Personal Computer and pasting it to match with a legitimate DLL which may be modified by an unprivileged user without needing any particular account privileges.
When Skype’s upgrade installer tries to discover the relevant Dynamic-link library file, it is going to locate the malicious DLL and thus will set up the malicious code. Even though Kanthak demonstrated the attack utilizing the Windows version of Skype it also believes the same Dynamic-link library hijacking system could work against other OS, including Skype variants for macOS and Linux.
Kanthak informed Microsoft of the Skype vulnerability back in Sept, but the company told him that the patch could require the Skype upgrade installer go through a significant code modification, Kanthak told ZDNet. Thus as opposed to releasing a security update, Microsoft decided to construct a completely new version of the Skype client that could address the vulnerability.
It must be noted that this vulnerability only affects the Skype to the desktop application, which utilizes its upgrade installer which is exposed to the Dynamic-link library hijacking technique. The Universal Windows Platform application version available from the Microsoft Store for Windows 10 PCs is not affected.
The vulnerability has been rated as moderate in severity, but Kanthak stated, the attack might be easily weaponized. He also gave two examples, that have never been released yet. Till the business releases an all-new version of Skype client, users are advised to exercise caution and avoid clicking on attachments.
Additionally, ensure you run updated anti-virus program which delivers some defense against these attacks and appropriate.
This is not the very first time Skype has been dealing with a severe security flaw. Back in June 2017, a flaw in Skype was disclosed first time Skype has been dealing with a to the issue which allowed hackers to crash systems and execute code in them.
Last month, among several messaging applications, Skype was also dealing with a critical remote code execution vulnerability in Electron—a popular web application framework widely-used in desktop applications.