Microsoft Won’t Patch a Severe Skype Vulnerability Anytime Soon

Capturar

by Swati Khandelwal

February 14, 2018

A serious vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could potentially allow attackers to gain full control of the host machine by granting system-level privileges to a local, unprivileged user.

The worst part is that this vulnerability will not be patched by Microsoft anytime soon.

It’s not because the flaw is unpatchable, but because fixing the vulnerability requires a significant software rewrite, which indicates that the company will need to issue an all-new version of Skype rather than just a patch.

The vulnerability has been discovered and reported to Microsoft by security researcher Stefan Kanthak and resides in Skype’s update installer, which is susceptible to Dynamic Link Libraries (DLL) hijacking.

According to the researcher, a potential attacker could exploit the “functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories.”

The exploitation of this preferential search order would allow the attacker to hijack the update process by downloading and placing a malicious version of a DLL file into a temporary folder of a Windows PC and renaming it to match a legitimate DLL that can be modified by an unprivileged user without having any special account privileges.

Mais do que uma solução tecnológica, somos uma decisão estratégica para as organizações.

Nossa missão é redefinir a relação das empresas com a cibersegurança e a experiência dos usuários no processo de autenticação e acesso a ativos tecnológicos.