14 DAY TRIAL // A security vulnerability in Skype that allows cybercriminals to get the same rights as the logged-in user on computers running the application won’t be fixed by Microsoft just yet, as this requires more complex work including a massive update of the vulnerable process.
Security researcher Stefan Kanthak says the flaw resides in the Skype update service and it can be exploited with the help of DLL hijacking, which tricks the process into using a malicious library instead of the genuine one provided by Microsoft.
As ZDNet reports, this means the attacker first has to drop the nasty DLL file on the computer it targets, but the researcher says there are many ways to do that using a temporary user folder.
Once Skype launches and checks for updates with the dedicated update service, if the malicious library is loaded, cybercriminals could exploit the flaw and gain access to the computer, obtaining the same rights as the logged-in user. It goes without saying that this is particularly dangerous if an administrator account is used, but the attacker can anyway steal data stored on the system.
New Skype client on its way
As for the reasons Microsoft is not in a rush to develop a fix, the researcher says he first contacted the company in September last year and he was told that reproducing the issue was indeed possible.
At that time, however, the software giant explained that rolling out a fix for this bug requires too much work, pointing out that the updater needs to go through what the researcher cited as “a large code revision” to block the exploit.
On the other hand, Microsoft is preparing an update anyway, only that it’ll land with the release of a new version at some point in the future. This means a standalone security fix to address the bug won’t ship anytime soon, despite users already vulnerable to attacks.
The researcher says other systems can be vulnerable as well, including Macs and Linux, though he admits that when it comes to DLL hijacking, it can be done in many more ways on Windows.