Update: Microsoft has officially confirmed that the vulnerability in Skype installer has been fixed back in October. “There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower. The issue was in the program that installs the Skype software – the issue was not in the Skype software itself. Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website skype.com,” Microsoft writes.
You can find the original story below:
Microsoft’s messaging platform Skype has a vulnerability that could allow the cybercriminals to get the same rights as the logged-in user, and it appears that this security vulnerability won’t be fixed anytime soon as the software giant needs to rewrite the code which would be time-consuming. A report claims that the process to patch the vulnerability is not as easy as it seems since this requires more complex work.
Stefan Kanthak, a security researcher claims that the bug is in the Skype update service, and if exploited, the hacker will get admin access to users chat. Though it’s not easy to exploit this bug as it could be only exploited with the help of DLL hijacking which is a process that replaces Microsoft’s library with a malicious library.
In order to exploit the bug, the attacker first has to drop the DLL file on a system through a malicious site, email and there are many other ways to do that. If your computer has the dirty DLL file, the malicious library would load when the users launch Skype and it checks for updates.
The cybercriminals will get access to the computer and they can steal data stored on the system since the attacker would have obtained the same rights as the logged-in user. It goes without saying that this is a dangerous bug for any user, but it can’t be exploited easily.
Microsoft is aware of the bug and the company is already working on a fix, but the software giant is not in a rush to roll out the fix as it requires too much work. The researcher also claims Microsoft told him that the fix for the bug needs time since the updater needs to be fixed through a large code revision. This means a standalone security fix to address the bug won’t be released anytime soon, but you can expect the new version of Skype to include the fix for the reported vulnerability.
Disclaimer: The information contained in this article is based on a research by Stefan Kanthak and his company. Windows Latest makes no claims, guarantees about the accuracy or completeness, contained in this article or linked pages (websites).