A serious vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could potentially allow attackers to gain full control of the host machine by granting system-level privileges to a local, unprivileged user.
The worst part is that this vulnerability will not be patched by Microsoft anytime soon.
It’s not because the flaw is unpatchable, but because fixing the vulnerability requires a significant software rewrite, which indicates that the company will need to issue an all-new version of Skype rather than just a patch.
The vulnerability has been discovered and reported to Microsoft by security researcher Stefan Kanthak and resides in Skype’s update installer, which is susceptible to Dynamic Link Libraries (DLL) hijacking.
When Skype’s update installer tries to find the relevant DLL file, it will find the malicious DLL first, and thereby will install the malicious code.
Although Kanthak demonstrated the attack using the Windows version of Skype, he believes the same DLL hijacking method could also work against other operating systems, including Skype versions for macOS and Linux.
Kanthak informed Microsoft of the Skype vulnerability back in September, but the company told him that the patch would require the Skype update installer go through “a large code revision,” Kanthak told ZDNet.
The vulnerability has been rated as “medium” in severity, but Kanthak said, “the attack could be easily weaponized.” He gave two examples, which have not been released yet.
Until the company issues an all-new version of Skype client, users are advised to exercise caution and avoid clicking on attachments provided in an email. Also, make sure you run appropriate and updated anti-virus software that offers some defence against such attacks.
This is not the first time Skype has been dealing with a severe security flaw. In June 2017, a critical flaw in Skype was revealed before Microsoft released a fix for the issue that allowed hackers to crash systems and execute malicious code in them.
Last month, among several messaging applications, Skype was also dealing with a critical remote code execution vulnerability in Electron—a popular web application framework widely-used in desktop applications.