Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite (zdnet.com) 65
ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.
The article indicates that the Updater is the problem, not Skype. The Updater runs in a privileged environment, and is susceptible to loading non-system DLLs. The article says the same can happen on Macs and on Linux except that neither platform uses DLLs nor allows sourcing libraries from local (no-system) directories.
Yeah, Linux doesn't have "DLLs"!! Because calling the same thing a
Spoken like somebody who doesn't really know what LD_PRELOAD actually does.
Quit being a DLLdo. Windows and Linux libraries are entirely different.
LD_PRELOAD is not enough for privilege escalation. You need more, like a buggy Microsoft product. Maybe Skype for Linux....
Linux is MORE vulnerable (Score:1)
Just look at the stats. Failing Linux has had hundreds of CVE's in just the last year with a lot more and worse severities than all the current versions of amazing Windows *combined*. If you want to trust your computer to be secure, you are better off with Windows than littul linux. It's a simple fact, easily proven, but completely politically incorrect to say here which is everyone knows it is true.
I miss the days when every hacker under the sun would regularily release 0days for free that let you infect windows machines just by sending a skype message. Now you got to pay
:( - or understand russian :)
It's also interesting that after an installation there's actually a need to have system privileges for all updates. That should only be necessary for updates related to system interaction. Of course app updates should require higher privileges than user level, but not really touch the system level.
But given that it's Microsoft then you'd need a reboot too.
Open Source Rules! (Score:1)
Of course Linux is completely immune to such attacks because LD_PRELOAD is open source.
Phew. https://www.cs.rutgers.edu/~pxk/419/notes/content/04-injection-slides-6.pdf
...so which suid binary permits LD_PRELOAD attacks?
Oh! Look! The microsoft shills are here!
are you a regular employee being paid on the clock for this? or are you the property of an astroturfing zoo?
Not everyone operates in the US tribal mindset where criticising Tribe A means you're automatically a member of Tribe B. Maybe both tribes have downsides.
why does skype have "massive code" anyway? (Score:2)
it's a IM client with audio/video capabilities, wth
How are you supposed to hide massive security vulnerabilities under the vague guise of plausible deniability if you don't have a giant entrenched pile of garbage as a code base? You thought they kept rotating experienced, ethical developers off the project because of simple managerial incompetence, didn't you? The incompetence story is just more plausible deniability.
Download the offline installer? (Score:2)
That way you can be kinda sorta sure the entire thing came from Microsoft, maybe...
Won't help (Score:2)
which allows an attacker to trick an application into drawing malicious code instead of the correct library.
That doesn't sound like it comes from Microsoft. It seems to me that the regular installer takes bits and pieces from here and there to assemble the app on your computer. I don't see that risk if you download the whole chunk from MS. And I don't let it update automatically. I definitely could be wrong, but I still feel better doing my installs from a local file/folder that I know (or think I know) has
I have thought for years that Windows would be more secure if Microsoft provided a mechanism by which ISVs could hook into the Windows Update process and use that for program updates. The system could required code signatures to ensure that fakes are not being installed. Microsoft could make some money out of it by selling code signing certificates.
Obviously, they would have to take care that the ISV hooks could not overwrite any core Microsoft items and perhaps not overwrite any prior ISV hook.
And they've finally implemented exactly that, it's called "windows store" and they were the last major os vendor to do so.
You can't just hook in tho, you have to publish through the store, and that comes with all kinds of strings attached.
I find it amusing how the app store model is taking off, a few years ago this was one of the most common arguments against linux - the claim was that users want to buy software from a store or download from a random website and they won't like the repository model. Turns o
app store censorship (Score:2)
app store censorship needs to go.
Re:Download the offline installer? (Score:5, Informative)
1) drop a properly named nefarious dll in a tmp directory
2) alter the userspace path environment variable that will cause skypes updater to search this folder first for that properly named nefarious dll
3) launch the skype installer which will then load the nefarious dll into a super user scope
Parent should have been the description in the
So... (Score:3)
If you can't fix the issue then let us have the option to remove the POS. Ever since they jammed the crappy product down my throat wished I could remove it, now would be a good time.
Last I checked, Skype was entirely optional to install, something you have to go out of your way to infect your system with, not something Microsoft jams down anyone's throat.
When WIndows 8 came out, Skype was there by default. It also happened to be extra retarded by default. I remember it because some friends asked me to help them log in to the Skype app on a new Windows 8 machine. After some swearing and Googling, I discovered that the app bundled with Windows will only work with a Windows Live account, Skype logins that existed before the MS infection required that I uninstall the bundled version and get the less retarded version from Skype.com
I just installed Windows 10 fresh and there was a Skype icon already present. Worse, OneDrive runs at startup by default.
Skype == Turd (Score:1)
Skype turned into a huge turd when Microsoft touched it.
It took 6 attempts to get a call through without having either side sound like either donald duck, or mickey mouse. Then of course, you need to make sure your 100/100 internet connection is fast enough, or you get the dreaded "poor quality connection"...
I fixed skype by uninstalling it and using google hangouts.
Static Link? (Score:3)
While officially Microsoft supports static linking, in practice, it is necessary to use DLLs in many situations. The Microsoft official answer is at: Extension DLLs [microsoft.com]
The practical reasons that I have been forced to use DLLs are:
Probably. Or you could sign the libraries and executables. This is a common type of vulnerability that shouldn't happen, but does, due to laziness, but it is also relatively easy to fix. The summary's claim of a "massive code rewrite" being needed is sensationalist BS.
It certainly does look that way. Apparently the problem is in the updater. If your UPDATER even needs to be "completely rewritten", I don't see how that could be described as a "massive rewrite".
MS never wanted skype, they wanted its userbase. Most users don't like the "new look" they gave it anyway. MS is just going to leverage this into a handy excuse to get the current skype users to move over to their own home-grown IM
A rewrite, really? (Score:2)
Circle jerk (Score:2)
What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client.
Man I gotta hand it to whomever at Microsoft actually convinced their boss to go this route. There was a MSN messenger once, you know, Microsoft's IM client, they dumped it and bought Skype. Now they're dumping Skype for inhouse MSN messenger 2.0? Hahahahaha nice job.