14 DAY TRIAL // Security researcher Enrico Weigelt uncovered a critical security issue in the way Skype installs itself on Debian Linux machines, adding its Microsoft's APT repository in the system's sources.list file.
Skype's Debian package uses an APT configuration profile which automatically inserts Microsoft's apt repository to the default system package sources which would allow anyone with access to it to hypothetically use malicious tools to compromise the machine.
In layman's terms, APT repositories are collections of .deb packages used as the central storage, management and delivery platform for all Debian-based Linux machines.
The APT repositories can be used to install, remove, or update applications on a Debian machine with the help of the apt-get command.
After obtaining control of Microsoft's Debian apt repository, an attacker would be able to inject malicious content in various distro packages using the update system, as well as replace legitimate packages with maliciously crafted ones.
Microsoft or a 3rd with access to its repository's private key can completely take control of any Debian machine where Skype is installed
Even worse, as noted by Canonical's Seth Arnold in the Full Disclosure mailing list, because install and uninstall scripts for Debian packages run using full root privileges, attackers can completely take over the affected Debian machine if they know what they're doing.
Weigelt adds a mitigation solution for Microsoft to implement to take out the security issue from the Skype Deiban package, namely the removal of the apt configuration profile from the .deb package.
Users can also take a number of steps to protect their computers from being compromised after installing Skype.
As a first step, you can remove the sources/list entry added by Skype after installing it on your Linux box, you can manually unpack and repackage it to make sure that Microsoft's apt repository is not appended to the sources.list in the first place.
You can also install Skype within a confined container to limit the amount of damage it can do using Linux Containers (LXC)'s kernel level isolation.
"Untrusted packages are always a big security risk - those seriously shouldn't be installed on any security-relevant system," told Weigelt to Softpedia in an e-mail interview. "The best option, IMHO, is a carefully isolated container (eg. lxc or docker) - don't let it access your private data and make sure you cut its microphone access when not actually having a Skype call."
The vulnerability discovered by Weigelt was first added to the CXSECURITY vulnerability database and then on the Full Disclosure mailing list, and it doesn't yet have a Common Vulnerabilities and Exposures (CVE) identification number.
UPDATE: Added Enrico Weigelt's statement regarding the best isolation approach for this security issue.