Software

OSes

That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH

Oh yeah, we patched that in October, Windows giant yawns


Microsoft has poured a bucket of cold water on people freaking out over a supposedly unfixable security flaw in Skype.

The infosec world was atwitter this week over fears and headlines of a nasty bug in Redmond's video chat app that apparently cannot be addressed without a massive code rewrite. That the programming blunder was so major, it cannot be simply patched, and Microsoft will have no option but to reengineer Skype for Windows and issue a new release sometime in the future.

Well, it was fixed in October.

Far be it from us to run to Microsoft's rescue, but the vulnerability is present in Skype for Windows versions 7.40 and lower. In October 2017, Microsoft released version 8 without the flaw, so if you kept up to date, you're fine. If you're running version 7, get version 8.

The security cockup allows malware running on a Windows PC to exploit Skype's update mechanism to gain full control over the computer via DLL hijacking. Exploiting the design oversight will grant malicious software, or anyone logged into the box, full system-level privileges. The update tool uses temporary files stored in the %SYSTEMROOT% directory, and it's possible to drop custom DLLs into that folder and have them injected into an installer process that runs with system-level privileges.

So, yeah, install version 8 if you haven't already. Yes, Microsoft doesn't offer it automatically to all users, and that sucks, but at least now you know what to do.

"There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower. The issue was in the program that installs the Skype software – the issue was not in the Skype software itself," Skype program manager Ellen Kilbourne said in a support forum post on Wednesday.

"Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website skype.com."

Roses are red, Windows error screens are blue. It's 2018, and an email can still pwn you

READ MORE

The issue was discovered by German researcher Stefan Kanthak, who said he alerted Redmond in September. Kanthak said he was told in October that patching the bug in the software would require a "large code revision," and disclosed details of the flaw this month to warn everyone of the problem.

That revelation sparked a lot of handwringing and speculation the bug would be a "major" ongoing security issue that would prove highly difficult and expensive for Microsoft to address, leaving punters vulnerable for months to escalation-of-privilege attacks via local users and applications.

Microsoft, however, confirmed this week it addressed the coding cockup back in October, and that the vulnerability can be killed off by simply updating Skype. Those running the latest version have been protected for the past few months. We're also not aware of any malware exploiting this security hole.

This will provide a bit of relief to IT administrators who just two days ago were served a massive Patch Tuesday update that addressed 50 CVE-listed vulnerabilities in Redmond's products, and faced the possibility of having to test and deploy an out-of-band patch for Skype, too. ®

Send us news
38 Comments

A single HPC-AI software environment is less desirable than you might think

Every possible thing that can be tuned must be tuned – and tuned well

Register Debate Welcome to the latest Register Debate in which writers discuss technology topics, and you the reader choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday. During the week you can cast your vote on which side you support using the poll embedded below, choosing whether you're in favour or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular.

This week's motion is: A unified, agnostic software environment can be achieved. We debate the question: can the industry ever have a truly open, unified, agnostic software environment in HPC and AI that can span multiple kinds of compute engines?

Our contributor today debating AGAINST the motion is Timothy Prickett Morgan, co-editor of The Next Platform.

Continue reading

Don't panic about cyber insurers pulling up the drawbridge, says Lloyd's

New clauses are menu to pick from, not commandments of stone

Infosec industry panic about new cyber insurance model clauses excluding cover for state-back intrusions is wide of the mark, the Lloyd's Market Association has told The Register.

The LMA, a trade body for Lloyd's-affiliated insurance syndicates, published a series of model clauses last week that caused some disquiet among cybersecurity industry folk.

Quite a few infosec people reading the four draft clauses worried that they didn't closely define cyber war – and wording suggesting that insurers wouldn't pay out for "cyber war" had some wondering if LMA syndicates would automatically refuse any claim based on a state-backed threat actor's activities.

Continue reading

More than half of UK workers would consider jumping ship if a hybrid work option were withdrawn by their company

How to dodge The Great Resignation

Research has shown that over half of UK workers would consider quitting their job if, in the future, a hybrid work option were pulled by their employer.

The figures, produced by YouGov and published by Microsoft, come from a survey of 2,046 employees taken online over 7-15 October 2021. 504 "HR Decision Makers" (HRDM) were also consulted.

The report is timely considering the UK government introduced its "Plan B" restrictions last night, which include advice to work from home where possible. Clearly for the time being employers cannot pull the option.

Continue reading

UK and USA seek new world order for cross-border data sharing and privacy

They'll even run a competition to help this along

Officials from the USA and UK have signaled an intention to together shape a new world order for data sharing across borders.

International Trade Secretary Anne-Marie Trevelyan and Nadine Dorries, Secretary of State for Digital, Culture, Media and Sport, met with US Secretary of Commerce Gina Raimondo to hold discussions on cross border data flows, supply chains and tariffs.

A joint statement released by Raimondo and Dorries on Wednesday said the two nations re-committed to “promoting the trustworthy use and exchange of data across borders” and plan to collaborate on the design and creation of next-gen tools that shape new global norms on data use.

Continue reading

Big Tech's private networks and protocols threaten the 'net, say internet registries

APNIC and LACNIC worry about who will set the rules of future internetworking

The internet remains resilient, and its underlying protocols and technologies dominate global networking – but its relevance may be challenged by the increasing amount of traffic carried on private networks run by Big Tech, or rules imposed by governments.

So says a Study on the Internet's Technical Success Factors commissioned by APNIC and LACNIC – the regional internet address registries for the Asia–Pacific and Latin America and Caribbean regions respectively – and written by consultancy Analysys Mason.

Presented on Wednesday at the 2021 Internet Governance Forum (IGF), the study identifies four reasons the internet has succeeded:

Continue reading

PC market pulls past peak pandemic demand, and IDC says it will keep growing

Lappies are leaping – albeit a little lower – and gamers are growing, but tablets are turgid

While the PC market is cooling following two straight years of double-digit growth spurred by the COVID-19 pandemic, analyst firm International Data Corporation (IDC) has predicted shipments will continue to grow over the next five years.

The analyst firm's latest Worldwide Quarterly Personal Computing Device Tracker predicts the PC market will enjoy a five-year compound annual growth rate (CAGR) of 3.3 per cent. Notebook PCs will drive the growth, but tablets will decline.

"The market has pulled past peak pandemic PC demand," alliterated Jitesh Ubrani, research manager with IDC's Mobility and Consumer Device Trackers. Gaming will be partly responsible for the uplift, but the education segment is saturated and therefore tapering the market growth.

Continue reading

Alibaba the biggest, but more clouds on China's horizon

Huawei, Tencent, and Baidu all growing fast, and Americlouds are about to expand

Alibaba continues to dominate China's cloud market, according to analyst firm Canalys.

In its assessment of Chinese cloud services spending, published today, Canalys asserted that Alibaba won 38.3 per cent market share in Q3 2021 and scored annual revenue growth of 33.3 per cent.

Huawei's market share declined, but it remained ahead of Tencent.

Continue reading

Oz Feds reveal distribution model behind backdoored 'An0m' chat app spread by crims

Resellers were given exclusive territories to target, and offered tech support

Australia's Federal Police force has revealed more about how it distributed a backdoored chat app to criminals.

The app, named An0m, was revealed in June 2021 when Australia's Feds (AFP), the FBI and European authorities revealed they'd combined to convince crims the software allowed secure communications. The app ran on conventional Android smartphones modified to run An0m and nothing else.

The AFP today revealed a little more about how the app, and phones running it, were seeded. The Force described the following four steps:

Continue reading

Apple wins Epic court ruling: Devs will pay up for now as legal case churns on

Previous injunction that ordered company to allow non-Apple payments systems is suspended

Apple will not be required to implement third-party in-app payments systems for its App Store by 9 December, after a federal appeals court temporarily suspended the initial ruling on Wednesday.

As part of its ongoing legal spat with Epic, a judge from the Northern District Court of California said Apple wasn’t a monopoly, but agreed it’s ability to swipe up to a 30 per cent fee in sales processed in iOS apps was uncompetitive. Judge Yvonne Gonzalez Rogers ordered an injunction, giving the iGiant 90 days to let developers add links or buttons in their apps to direct users to third-party purchasing systems.

Those 90 days were set to end on 9 December. If developers were allowed to process financial transactions using external systems they wouldn’t have to hand over their profits to Apple, they argued. When Apple tried to file for a motion to stay, which would pause the injunction until it filed an appeal, Rogers denied its request.

Continue reading

Meg Whitman – former HP and eBay CEO – nominated as US ambassador to Kenya

Donated $110K to Democrats in recent years

United States president Joe Biden has announced his intention to nominate former HPE and eBay CEO Meg Whitman as Ambassador Extraordinary and Plenipotentiary to the Republic of Kenya.

The Biden administration's announcement of the planned nomination reminds us that Whitman has served as CEO of eBay, Hewlett Packard Enterprise, and Quibi. Whitman also serves on the boards of Procter & Gamble, and General Motors.

The announcement doesn't remind readers that Whitman has form as a Republican politician – she ran for governor of California in 2010, then backed the GOP's Mitt Romney in his 2008 and 2012 bids for the presidency. She later switched political allegiance and backed the presidential campaigns of both Hillary Clinton and Joe Biden.

Continue reading

Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

Meet the new boss

A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

Continue reading