Security

That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH

Oh yeah, we patched that in October, Windows giant yawns

38 Got Tips?

Microsoft has poured a bucket of cold water on people freaking out over a supposedly unfixable security flaw in Skype.

The infosec world was atwitter this week over fears and headlines of a nasty bug in Redmond's video chat app that apparently cannot be addressed without a massive code rewrite. That the programming blunder was so major, it cannot be simply patched, and Microsoft will have no option but to reengineer Skype for Windows and issue a new release sometime in the future.

Well, it was fixed in October.

Far be it from us to run to Microsoft's rescue, but the vulnerability is present in Skype for Windows versions 7.40 and lower. In October 2017, Microsoft released version 8 without the flaw, so if you kept up to date, you're fine. If you're running version 7, get version 8.

The security cockup allows malware running on a Windows PC to exploit Skype's update mechanism to gain full control over the computer via DLL hijacking. Exploiting the design oversight will grant malicious software, or anyone logged into the box, full system-level privileges. The update tool uses temporary files stored in the %SYSTEMROOT% directory, and it's possible to drop custom DLLs into that folder and have them injected into an installer process that runs with system-level privileges.

So, yeah, install version 8 if you haven't already. Yes, Microsoft doesn't offer it automatically to all users, and that sucks, but at least now you know what to do.

"There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower. The issue was in the program that installs the Skype software – the issue was not in the Skype software itself," Skype program manager Ellen Kilbourne said in a support forum post on Wednesday.

"Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website skype.com."

Roses are red, Windows error screens are blue. It's 2018, and an email can still pwn you

READ MORE

The issue was discovered by German researcher Stefan Kanthak, who said he alerted Redmond in September. Kanthak said he was told in October that patching the bug in the software would require a "large code revision," and disclosed details of the flaw this month to warn everyone of the problem.

That revelation sparked a lot of handwringing and speculation the bug would be a "major" ongoing security issue that would prove highly difficult and expensive for Microsoft to address, leaving punters vulnerable for months to escalation-of-privilege attacks via local users and applications.

Microsoft, however, confirmed this week it addressed the coding cockup back in October, and that the vulnerability can be killed off by simply updating Skype. Those running the latest version have been protected for the past few months. We're also not aware of any malware exploiting this security hole.

This will provide a bit of relief to IT administrators who just two days ago were served a massive Patch Tuesday update that addressed 50 CVE-listed vulnerabilities in Redmond's products, and faced the possibility of having to test and deploy an out-of-band patch for Skype, too. ®

Sign up to our NewsletterGet IT in your inbox daily

38 Comments

Keep Reading

Skype for Windows 10 and Skype for Desktop duke it out: Only Electron left standing

Updated I just can't quit you, Skype. Oh maybe I can... they've tweaked the close function

Microsoft uses its expertise in malware to help with fileless attack detection on Linux

Aw, how generous

Here's a headline we never thought we'd write 20 years ago: Microsoft readies antivirus for Linux, Android

Redmond knows a thing or two about tackling malware – amirite, Windows fans?!

Want to stay under the radar for a decade or more? This Chinese hacking crew did it... by aiming for Linux servers

BlackBerry says Winnti-derived group is playing it quiet with rootkit attacks

Typosquatting RubyGems laced with Bitcoin-nabbing malware have been downloaded thousands of times

'Seemingly no transactions were made' but problem highlights risks of software supply chain

Thought you'd addressed those data-leaking Spectre holes on Linux? Guess again. The patches aren't perfect

Google engineer flags bugs in speculative-execution exploit defenses

Tencent floats bug bounties for its cloudy Linux and IoT OSes

CentOS-based code should already be pretty-well explored, but Chinese test isn’t exactly trusted right now ...

Please, just stop downloading apps from unofficial stores: Android users hit with 'unkillable malware'

Picked up xHelper 'matryoshka' trojan? Best to just nuke the site from orbit

Official: Microsoft will take an axe to Skype for Business Online. Teams is your new normal

Blade to swing in 2021, but 'onboarding' for new Office 365ers starts in September

Britain's courts lurch towards Skype and conference calls for trials as COVID-19 distancing kicks in

Coronavirus forces judges to join the 21st century more or less overnight

Tech Resources

The Definitive Guide to Sharing Threat Intelligence

Sharing threat intelligence is gradually becoming an accepted component in information security defense but there are still ways we can gain more.

Unlocking the Cloud-Native Data Layer

Being able to exceed customer expectations is essential to a successful business.

10 Examples of Smarter Alerting

A guide for SRE, Dev and Ops teams who need to be proactive in finding problems before service is affected, without debilitating alert noise.

The Rise of Machine Learning (ML) in Cybersecurity

While many are guarding the front door with yesterday’s signature-based AV solutions, today’s malware walks out the back door with all their data.