Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite (zdnet.com) 151
ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.
Linux not vulnerable (Score:5, Informative)
The article indicates that the Updater is the problem, not Skype. The Updater runs in a privileged environment, and is susceptible to loading non-system DLLs. The article says the same can happen on Macs and on Linux except that neither platform uses DLLs nor allows sourcing libraries from local (no-system) directories.
E
Re: (Score:1)
Yeah, Linux doesn't have "DLLs"!! Because calling the same thing a .so makes it magically secure!
Spoken like somebody who doesn't really know what LD_PRELOAD actually does.
Re:Linux not vulnerable (Score:4, Funny)
Quit being a DLLdo. Windows and Linux libraries are entirely different.
Re: Linux not vulnerable (Score:4, Funny)
LD_PRELOAD is not enough for privilege escalation. You need more, like a buggy Microsoft product. Maybe Skype for Linux....
Skype for Linux is terrible (Score:1)
The old standalone client was bad. Rather than fixing it, they tried to push everyone into WebRTC.
The UI of Skype even on Mac is now awful. Microsoft took a piece of crap and piled on a layer of fresher crap.
The time has come for Skype to get tossed in the trash.
Re: Skype for Linux is terrible (Score:2)
Microsoft simply felt that it's UI wasn't modern enough, so they needed to modernize it. Modern meaning 50s era Scandinavian magazines, of course... Kind of like windows 1.x/2.x, only with a smaller color palette and no divider lines, this way it has to be really bright and contrasty colors, like a Fisher-Price toy.
Re: (Score:1)
Microsoft simply felt that it's UI wasn't modern enough, ... it has to be really bright and contrasty colors, like a Fisher-Price toy.
So, back to XP?
Re: Linux not vulnerable (Score:2)
Re: (Score:1)
Re: (Score:2)
Quit being a DLLdo. Windows and Linux libraries are entirely different.
Nonsense. It's all the same shit with uninteresting semantic differences.
Re:Linux not vulnerable (Score:4, Informative)
Linux is MORE vulnerable (Score:3, Funny)
Just look at the stats. Failing Linux has had hundreds of CVE's in just the last year with a lot more and worse severities than all the current versions of amazing Windows *combined*. If you want to trust your computer to be secure, you are better off with Windows than littul linux. It's a simple fact, easily proven, but completely politically incorrect to say here which is everyone knows it is true.
Re: Linux is MORE vulnerable (Score:5, Funny)
I miss the days when every hacker under the sun would regularily release 0days for free that let you infect windows machines just by sending a skype message. Now you got to pay :( - or understand russian :)
Re: (Score:2)
It's also interesting that after an installation there's actually a need to have system privileges for all updates. That should only be necessary for updates related to system interaction. Of course app updates should require higher privileges than user level, but not really touch the system level.
But given that it's Microsoft then you'd need a reboot too.
Re: (Score:2)
Re: (Score:2)
If you need root privileges to run a package manager, then the installed packages are only root writeable.
If they would be owned by an ordinary user you would not need root privileges.
Reboots are completely unnecessary, if the system is done right. Unless you want to load a new kernel, or rare cases a new device driver, there is no reason at all.
Re: (Score:2)
Re: (Score:2)
Then explain please, why did you write this:
Every Linux package manager I've ever used uses root privileges to update app packages. ?
And why this:
The need for reboots has nothing to do with permissions. ?
No one said reboots have anything to do with permissions. Reboots in windows are 99% of the time are unnecessary as well, but the stupid guy who programmed the installer added a "lets reboot after install for good measure".
Re: (Score:2)
Neither platform uses DLLs because they call their dynamically linked libraries something else. For instance, just as you’ll see .app instead of .exe on macOS, you’ll see .dylib instead of .dll. Same basic notion, different extension, same design that leaves it open to attack.
Linux Skype is Web Skype (Score:2)
Modern Skype is mostly Web Skype.
Modern "Skype for Linux" version 8.x is just Web Skype, packaged together with Chromium, thanks to Electron framework.
(Unlike older versions 4.y which were a Qt port of an older Windows native application).
The most recent version has moved away from binary plugins for the Audio/Video and/or from Microsoft's own NIH syndrom.
And transitioned to WebRTC + HTML5 Video.
But you don't even actually need to install this piece of crap.
- You can browse to http://webskype.com/ [webskype.com]
Re: Linux not vulnerable (Score:1)
Re: (Score:2)
Of course Macs and Linux use DLLs to: dynamic linked libraries do not need to end in *.dll ... e.g. on linux and macs and basically any unix system they end in *.so
Re: (Score:2, Informative)
Linux [...] In fact, I've accidentally run into library versions probems because I had a copy in my home directory along with an executable.
There are two things you need to deliberately do to make that happen:
Set PATH to include your home directory.
Set LD_PRELOAD appropriately or LD_LIBRARY_PATH to your home directory.
So you've never accidentally run into that problem. You have to deliberately create that problem in two separate and independent steps.
Re: (Score:2)
Open Source Rules! (Score:1)
Of course Linux is completely immune to such attacks because LD_PRELOAD is open source.
Phew. https://www.cs.rutgers.edu/~pxk/419/notes/content/04-injection-slides-6.pdf
Re: (Score:1)
Re: (Score:3)
Not everyone operates in the US tribal mindset where criticising Tribe A means you're automatically a member of Tribe B. Maybe both tribes have downsides.
Re: (Score:1)
Re: (Score:2, Funny)
Trump himself said he did it. He said "no collusion", which in Trump-speak means "I colluded".
We are slowly realises that whatever Trump says, he means the opposite. "Largest ever inauguration crowd" means it wasn't. "Building a wall" means he won't.
The Trump fans took Trump seriously, but not literally. The general pubic took Trump retardedly, but not unretardedly.
Re: (Score:2)
We don't have any evidence of it, but the media wouldn't be talking about it so much and for so long if it wasn't true.
Re: Russians! (Score:1)
why does skype have "massive code" anyway? (Score:2)
it's a IM client with audio/video capabilities, wth
Re: (Score:3)
Re: (Score:1)
How are you supposed to hide massive security vulnerabilities under the vague guise of plausible deniability if you don't have a giant entrenched pile of garbage as a code base? You thought they kept rotating experienced, ethical developers off the project because of simple managerial incompetence, didn't you? The incompetence story is just more plausible deniability.
Re: (Score:3)
It's a huge mess. I can't even get voice/video calls to work through a firewall as it requires like 20 different rules for all sorts of ports -- it's ancient code, written in an ancient time when every new feature required its own port and protocol.
Compare that with Hangouts or Slack (the client), which just works out of the box without any changes to my firewall.
Besides, I'm sure 90% of the code is the bolted on library for serving you ads in the middle of your face.
Re: (Score:2)
Who knows about Skype. This is the updater app that has massive code.
Download the offline installer? (Score:3, Insightful)
That way you can be kinda sorta sure the entire thing came from Microsoft, maybe...
Won't help (Score:3)
Re: (Score:1)
which allows an attacker to trick an application into drawing malicious code instead of the correct library.
That doesn't sound like it comes from Microsoft. It seems to me that the regular installer takes bits and pieces from here and there to assemble the app on your computer. I don't see that risk if you download the whole chunk from MS. And I don't let it update automatically. I definitely could be wrong, but I still feel better doing my installs from a local file/folder that I know (or think I know) has
Re: (Score:2)
I have thought for years that Windows would be more secure if Microsoft provided a mechanism by which ISVs could hook into the Windows Update process and use that for program updates. The system could required code signatures to ensure that fakes are not being installed. Microsoft could make some money out of it by selling code signing certificates.
Obviously, they would have to take care that the ISV hooks could not overwrite any core Microsoft items and perhaps not overwrite any prior ISV hook.
Re: (Score:3)
And they've finally implemented exactly that, it's called "windows store" and they were the last major os vendor to do so.
You can't just hook in tho, you have to publish through the store, and that comes with all kinds of strings attached.
I find it amusing how the app store model is taking off, a few years ago this was one of the most common arguments against linux - the claim was that users want to buy software from a store or download from a random website and they won't like the repository model. Turns o
app store censorship (Score:2)
app store censorship needs to go.
Re: (Score:2)
It's not really the app store they care about, that's just a way of making getting what they really want more convenient. And what they want is Microsoft Word and Excel, YouTube, Facebook and Maps.
Geeks like us hate all that. We see it as bloatware, crap we don't want rammed in our faces. But for ordinary users it's exactly what they want. They don't care about your repo with 57 different IRC clients and 9 versions of Firefox with slightly different licence terms. They want Skype and WhatsApp, because that'
Re:Download the offline installer? (Score:5, Informative)
1) drop a properly named nefarious dll in a tmp directory
2) alter the userspace path environment variable that will cause skypes updater to search this folder first for that properly named nefarious dll
3) launch the skype installer which will then load the nefarious dll into a super user scope
Re: (Score:2)
Parent should have been the description in the /. story.
Re: (Score:2)
agreed! Why are 95% of Slashdot submissions simple cut-and-pastes? Instead, we should be tailoring the summary to the geek audience.
Re: (Score:2)
Didn't Word etc have the same bug, about five years ago?
DLL preloading attack was what it was called. You could drop a Word document into the same directory with a malicious DLL file, and if you double-clicked that document, Word would load the DLL instead of the system one.
If your program doesn't pass a fully qualified path to LoadLibrary/LoadLibraryEx... well, it uses the system path to search for it.
So... (Score:3)
If you can't fix the issue then let us have the option to remove the POS. Ever since they jammed the crappy product down my throat wished I could remove it, now would be a good time.
Re: (Score:2)
Re: (Score:2)
Wake me up when darktable is better than lightroom and the gimp is on the level of photoshop. Not holding my breath here......
And inkscape? Its nice but nowhere near as powerful and industry supported as Illustrator.
Re: (Score:2)
Except linux lags behind Windows on the desktop in terms of usability badly. Not to mention that all the real world applications I need are only on Windows. And games. Wine is great and all but the last time I tried it, I was seeing my nvidia card perform about half as well as it should have. Pass. I do like linux, but lets be honest, its a broken fragmented mess with few quality commercial applications for it.
Re: (Score:2)
"Better question, who the hell in their right mind knowing what we all know about software and the industry would use windows anything?"
Anyone who works for someone else who requires it. I'd love to have the choice but my current contract and previous one for that matter required Windows 10 and a Hotmail account. The HR software of their choosing was windows only and to get into MSDN and the enterprise support sites you have to use a Hotmail account...
Re: (Score:3, Interesting)
Last I checked, Skype was entirely optional to install, something you have to go out of your way to infect your system with, not something Microsoft jams down anyone's throat.
When WIndows 8 came out, Skype was there by default. It also happened to be extra retarded by default. I remember it because some friends asked me to help them log in to the Skype app on a new Windows 8 machine. After some swearing and Googling, I discovered that the app bundled with Windows will only work with a Windows Live account, Skype logins that existed before the MS infection required that I uninstall the bundled version and get the less retarded version from Skype.com
Re: (Score:3)
I just installed Windows 10 fresh and there was a Skype icon already present. Worse, OneDrive runs at startup by default.
Re: So... (Score:1)
Re: (Score:2)
Please check again, Skype is part of Internet Exploiter 11 and installed on Windows 10 by default. It cannot be uninstalled nor disabled, you can just never activate it or connect a Microsoft account to it to prevent it from initializing. I generally use Linux but I am required to keep a Windows system around for HR software and use a Hotmail account to access M$ websites for enterprise support.
Re: (Score:2)
If you can't fix the issue then let us have the option to remove the POS.
Ever considered uninstalling it?
Re: (Score:2)
More than considered it, spent several hours researching and attempting it but much like cancer it grows back and is deeply rooted in the both the system and the browser.... I'd gladly do away with windows but the employer uses HR software that only runs on Windows 10 and Hotmail for required MS support purposes.
Re: (Score:2)
Interesting. Just right clicking Skype on the start menu and clicking Uninstall seems to do the trick just fine too. There's nothing deep about it. It's a standard UWP app.
Re: (Score:2)
Perhaps skype imbedded in Internet exploiter is different from the installed version. I do not have an installed version but rather the imbedded version in the outlook mail client I am required to keep for work. But just go on assuming you know everything about everything. It seems to have served you well to this point...
Re:So...and this Onedrive crap too (Score:1)
Skype == Turd (Score:1)
Skype turned into a huge turd when Microsoft touched it.
It took 6 attempts to get a call through without having either side sound like either donald duck, or mickey mouse. Then of course, you need to make sure your 100/100 internet connection is fast enough, or you get the dreaded "poor quality connection"...
I fixed skype by uninstalling it and using google hangouts.
Static Link? (Score:3)
Re:Static Link? (Score:5, Informative)
While officially Microsoft supports static linking, in practice, it is necessary to use DLLs in many situations. The Microsoft official answer is at: Extension DLLs [microsoft.com]
The practical reasons that I have been forced to use DLLs are:
Re: (Score:2)
1. If you want your application to upgrade smoothly over the years, you have to use either the DLL calls or the windows system calls and avoid the statically linked C libraries. For instance, when the times and dates for daylight savings time change, only the windows calls get updated automatically. The statically linked libraries don't get updated. DLL libraries get updated when the DLL gets updated (which can lead to DLL Hell, but that is another story.)
Normally Microsoft C library hands off to windows to process time. When daylight savings time changes statically linked C libraries do not have to be updated or applications recompiled to take advantage of these changes.
They have internal logic that can get out of sync however as a practical matter it's a fallback that is never used.
If you have an application that allocates memory in one DLL and frees it in another
Then the application is BROKEN.
then it is vital that the library that does the memory management be a DLL. Otherwise, each DLL has it's own statically linked memory mapping library, and they don't know about each other's allocations.
GIGO
Re: (Score:2)
2. If you have an application that allocates memory in one DLL and frees it in another, then it is vital that the library that does the memory management be a DLL. Otherwise, each DLL has it's own statically linked memory mapping library, and they don't know about each other's allocations. ... problem solved, facepalm.
Then don't link memory management code into those DLLs
5. Only the really old languages like C++ and QuickBasic supports static linking. I'm pretty sure Visual Basic, C# and .NET all require DL
Re: (Score:2)
Re: (Score:2)
It certainly does look that way. Apparently the problem is in the updater. If your UPDATER even needs to be "completely rewritten", I don't see how that could be described as a "massive rewrite".
MS never wanted skype, they wanted its userbase. Most users don't like the "new look" they gave it anyway. MS is just going to leverage this into a handy excuse to get the current skype users to move over to their own home-grown IM
Re: (Score:1)
I think I know why they claim a need to rewrite their downloader, it's because of the way the loader does implicit loading of DLLs at process initialization.
This implicit loading is vulnerable to DLL hijacking , and mitigations like SetDLLDirectory() and such don't help because it happens before any code in their updater gets to run -- even if they use a custom entry point. You can see this yourself by using WinDbg with Loader Snaps enabled , you will see DLL loads occurring before any of your own code get
Re: (Score:2)
Re: (Score:2)
I think at this point application vendors could solve a multitude of problems by providing statically linked applications. Issues like memory and disk space aren't as big of an impact as they once were.
But I think the reason we won't see a renaissance in statically linked applications is that vendors LIKE the fact that installers get run as privileged users because it lets them snoop the system and install telemetry they couldn't do with a static executable.
To be sure, there are good arguments against stat
Did I end up in the bizarro universe somehow? (Score:1)
This exact same "attack" has been the root cause of dozens of Windows vulnerabilities reported on Slashdot over the past decade.
EVERYONE should already know about this flaw, so Microsoft has no right to act like it didn't know about the flaw when they purchased Skype.
If any program allows downloads to its %PATH%, then it's 100% vulnerable to this exploit.
p.s. This is also the reason you should never launch an installer from the download directory for your web browser. (Yes, that was also a story on /., but
A rewrite, really? (Score:2)
Re: (Score:2)
Yup. Secure DLL search paths isn't that hard to implement.
Circle jerk (Score:5, Interesting)
What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client.
Man I gotta hand it to whomever at Microsoft actually convinced their boss to go this route. There was a MSN messenger once, you know, Microsoft's IM client, they dumped it and bought Skype. Now they're dumping Skype for inhouse MSN messenger 2.0? Hahahahaha nice job.
Re: (Score:2)
Hahahahaha nice job
Yes it is. Think about this for a second. Some of the biggest improvements to OSes have come from major re-writes. This isn't a big deal for a software company as much as it is business as usual.
Likewise some of the biggest purchases and acquisitions have had zero to do with software. Software is just some code anyone can write. You think a couple of guys in Estonia could do something Microsoft couldn't? The reason Skype was purchased was IP + userbase. This IP+userbase was merged with the existing IP+userb
Always makes me chuckle and irked (Score:2)
These programs are a plague that expects their users to run their computers (as admin) on a day to day basis. They encourage poor security habits.
When I get irked about the constant pop ups and threats I will log out of my user account
While they're rewriting it... (Score:2)
...they can damned well reinstate the API used by the Netgear Skype DECT phone I paid a shitload for. The one that says "Skype certified" on it. >:(
What Else ? (Score:1)
What Else ? (Score:1)
Do you really insist in shooting your own foot? (Score:2)
Skype was unique when it was new. A simple to use, easy tool for voice and text chat. And one that can even do phone calls if you so please. People jumped onto it because, well, it was the only one.
Fast forward to today when this monopoly situation ain't so true anymore. Considering how Skype refuses to play nice with any of the other kids in the communication and messenger pool, insisting on being a special little snowflake that nobody may touch with their grubby paws, Skype is pretty much the tool you use
Requires local access (Score:2)
Should be noted that the bug requires that the attacker can write a DLL to your file system. So the user already needs to be downloading random DLLs, be a multi-user system or some other software needs to be exploited to write a DLL.
For a typical home PC this bug doesn't seem like a particularly problematic issue.
Re: Hey excuse me psst cunts.. (Score:2)
20.......16, doh.
Re: (Score:2)
Discord
Re: (Score:1)
Hosts fix -everything- though!