Skype security bug requires major rewrite

by Mark Tyson on 14 February 2018, 11:31

Tags: Microsoft (NASDAQ:MSFT), Skype

Quick Link: HEXUS.net/qadqsq

Add to My Vault: x

There is a security issue with Skype that is so problematic that it will require a major rewrite of the app, reports ZDNet. Microsoft has known about the bug, since at least September, and can reproduce the issue. However fixes will be delivered in a new version of the Skype client rather than an update as it is "too much work," to complete the bug fix now, says the source. While we wait, the bug could be exploited to escalate "a local unprivileged user to the full 'system' level rights - granting them access to every corner of the operating system".

Behind the security issue is an exploit technique called 'DLL hijacking'. Here's how it is possible:

  • An attacker downloads a malicious DLL into a user-accessible temporary folder
  • The attacker renames the DLL to one that can be modified by an unprivileged user, like UXTheme.dll
  • The malicious DLL is found first when the Skype updater app searches for the DLL it needs during update

ZDNet explains that Skype has its own built-in updater and when it runs it uses another executable file to run the update, which is vulnerable to the hijacking.

While the attack is described as "on the clunky side," it could nevertheless easily be weaponised, insists Security Researcher Stefan Kanthak. For examples Kanthak supplied two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder. He went on to remind the reporter that DLL hijacking isn't limited to Windows systems, Macs and Linux systems are vulnerable too.

If exploited successfully the bug is rather serious. With 'system' privileges gained, an attacker "can do anything," Kanthak said. However Microsoft isn't rushing to fix this, as mentioned in the intro. Microsoft does say that it has put "all resources" into building an altogether new client. Remember this is a potential threat from local unprivileged users - not unknown remote hackers.



HEXUS Forums :: 15 Comments

Login with Forum Account

Don't have an account? Register today!
Presumably only the Windows version is vulnerable? Not that the OSX version hasn't had its share of vulnerabilities in the past!

Edit:

According to this article https://www.myce.com/news/critical-vulnerability-skype-discovered-fix-requires-large-code-revision-83726/

it is claimed (but not apparently verified) that it could affect the OSX version.

Oh well, no matter, I rarely use Skype these days, its main advantage is for landline calls but there are plenty of other messaging applications available, iMessage, Facetime, Telegram, WhatsApp etc.

Telegram is particularly interesting as it is truly cross platform: Linux, OSX, Windows, Android and IOS.
How is this update bug not easy to fix.

They just need to launch their temp process with modified search behaviour. This is easy to fix. Heck they could hack it to use a ‘random’ folder each time and make the attack far harder with a little ACL.

The real bug must be a different one.
Hang on, I thought Skype was installed from the Windows Store and that the store app did the updating. Are MS still making applications do their own updates behind the scenes?

A program should do one thing and do it well, that is the Windows way. Oh hang on, that's Unix isn't it. Windows is the one where you re-invent everything and bung it in a single application, yeah that would do it.
Make sure you stay secure by keeping your software up to date, we'll do that automatically for you, Oh wait! ;)
DanceswithUnix
Hang on, I thought Skype was installed from the Windows Store and that the store app did the updating. Are MS still making applications do their own updates behind the scenes?

A program should do one thing and do it well, that is the Windows way. Oh hang on, that's Unix isn't it. Windows is the one where you re-invent everything and bung it in a single application, yeah that would do it.

As Skype is semi-cross-platform I guess you dont need the Windows store. (Maybe for new installs?)

Installed versions are updated from within the application (maybe connecting to the Windows sore or Apple store behind the scenes?). At least thats how it was last time I felt moved to update it (probably because another update had rendered my version incompatible)

Ah yes, the Windows way… :laugh: