- Bug discovered in Skype updater process
- Skype can’t fix the issue with a security update, needs new version
A new massive bug was discovered within Skype’s updater process, which would allow an attacker to gain system-level privileges to any vulnerable computer. With an app that has over a billion downloads and some 300 million monthly active users, this is a pretty big deal.
The find comes from security researcher Stefan Kanthak, who told ZDNet he discovered that the Skype update installer is susceptible to exploitation with a DLL hijacking technique. In short, the vulnerability could allow an attacker to fool the app into drawing malicious code. According to the researcher, the technique isn’t too complicated – an attacker needs to download the malicious DLL file into a user-accessible temp folder. Then, the file could get renamed to an existing DLL that is open to modifications by an unprivileged user.
Then, waiting occurs. Once Skype is installed, it updates on its own, running the updater. This time, however, it uses an executable file to run the update, which makes it vulnerable to hijacking. Once the attacker gains system privileges, they can do anything on the affected computer – steal data, run ransomware, delete files, and so on. Anything is possible.
The method isn’t just for Windows Skype users, however, as it also affects Mac and Linux users too.
Now, for the worst part. Microsoft has been informed of the bug back in September, but the company claims that in order to fix the bug, the updater would need to be re-coded. The folks over at Microsoft managed to reproduce the issue but admitted that a fix would not be possible to be delivered via a basic security update, but would rather come with a newer version of the product.
The “good” news is that you’d have to be specifically targeted by an attacker. For the most part, hackers are nowadays resorting to other methods that require less work and have a broader reach, so common users shouldn’t worry too much.