Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Bug Security Microsoft Operating Systems Programming Software

Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite (zdnet.com) 151

ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.
This discussion has been archived. No new comments can be posted.

Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite

Comments Filter:
  • Linux not vulnerable (Score:5, Informative)

    by gavron ( 1300111 ) on Monday February 12, 2018 @10:10PM (#56112807)

    The article indicates that the Updater is the problem, not Skype. The Updater runs in a privileged environment, and is susceptible to loading non-system DLLs. The article says the same can happen on Macs and on Linux except that neither platform uses DLLs nor allows sourcing libraries from local (no-system) directories.

    E

    • by Anonymous Coward

      Yeah, Linux doesn't have "DLLs"!! Because calling the same thing a .so makes it magically secure!

      Spoken like somebody who doesn't really know what LD_PRELOAD actually does.

      • by Anonymous Coward on Monday February 12, 2018 @11:17PM (#56113055)

        Quit being a DLLdo. Windows and Linux libraries are entirely different.

        • by WarJolt ( 990309 ) on Tuesday February 13, 2018 @12:00AM (#56113195)

          LD_PRELOAD is not enough for privilege escalation. You need more, like a buggy Microsoft product. Maybe Skype for Linux....

          • by Anonymous Coward

            The old standalone client was bad. Rather than fixing it, they tried to push everyone into WebRTC.

            The UI of Skype even on Mac is now awful. Microsoft took a piece of crap and piled on a layer of fresher crap.

            The time has come for Skype to get tossed in the trash.

            • Microsoft simply felt that it's UI wasn't modern enough, so they needed to modernize it. Modern meaning 50s era Scandinavian magazines, of course... Kind of like windows 1.x/2.x, only with a smaller color palette and no divider lines, this way it has to be really bright and contrasty colors, like a Fisher-Price toy.

              • by Gr8Apes ( 679165 )

                Microsoft simply felt that it's UI wasn't modern enough, ... it has to be really bright and contrasty colors, like a Fisher-Price toy.

                So, back to XP?

        • Quit being a DLLdo. Windows and Linux libraries are entirely different.

          Nonsense. It's all the same shit with uninteresting semantic differences.

    • by Xenx ( 2211586 ) on Monday February 12, 2018 @10:25PM (#56112875)
      The article links to a bulletin on hijacking of dynamic libraries on OSX. So......
    • by Anonymous Coward

      Just look at the stats. Failing Linux has had hundreds of CVE's in just the last year with a lot more and worse severities than all the current versions of amazing Windows *combined*. If you want to trust your computer to be secure, you are better off with Windows than littul linux. It's a simple fact, easily proven, but completely politically incorrect to say here which is everyone knows it is true.

    • by Z00L00K ( 682162 )

      It's also interesting that after an installation there's actually a need to have system privileges for all updates. That should only be necessary for updates related to system interaction. Of course app updates should require higher privileges than user level, but not really touch the system level.

      But given that it's Microsoft then you'd need a reboot too.

      • It's also interesting that after an installation there's actually a need to have system privileges for all updates.

        Why is that interesting? Every Linux package manager I've ever used uses root privileges to update app packages. Complex permission schemes are possible in both Windows and Linux. People don't use them in either because they are not worth the trouble.

        Of course app updates should require higher privileges than user level

        No, they shouldn't. Apps that are installed in the user's profile only need user's permissions to update.

        But given that it's Microsoft then you'd need a reboot too.

        The need for reboots has nothing to do with permissions.

        • If you need root privileges to run a package manager, then the installed packages are only root writeable.
          If they would be owned by an ordinary user you would not need root privileges.

          Reboots are completely unnecessary, if the system is done right. Unless you want to load a new kernel, or rare cases a new device driver, there is no reason at all.

          • If you need root privileges to run a package manager, then the installed packages are only root writeable.
            If they would be owned by an ordinary user you would not need root privileges.

            I understand that. The same principles apply in Windows. It's as if you weren't even reading what I wrote.

            Reboots are completely unnecessary, if the system is done right. Unless you want to load a new kernel, or rare cases a new device driver, there is no reason at all.

            I understand that you're a big Linux fan and you think Windows is the worst thing to ever grace humanity, but I was talking about the reason for needing reboots in Windows, since that's what the parent was talking about.

            • Then explain please, why did you write this:
              Every Linux package manager I've ever used uses root privileges to update app packages. ?
              And why this:
              The need for reboots has nothing to do with permissions. ?
              No one said reboots have anything to do with permissions. Reboots in windows are 99% of the time are unnecessary as well, but the stupid guy who programmed the installer added a "lets reboot after install for good measure".

    • Neither platform uses DLLs because they call their dynamically linked libraries something else. For instance, just as you’ll see .app instead of .exe on macOS, you’ll see .dylib instead of .dll. Same basic notion, different extension, same design that leaves it open to attack.

    • Modern Skype is mostly Web Skype.

      Modern "Skype for Linux" version 8.x is just Web Skype, packaged together with Chromium, thanks to Electron framework.
      (Unlike older versions 4.y which were a Qt port of an older Windows native application).
      The most recent version has moved away from binary plugins for the Audio/Video and/or from Microsoft's own NIH syndrom.
      And transitioned to WebRTC + HTML5 Video.

      But you don't even actually need to install this piece of crap.
      - You can browse to http://webskype.com/ [webskype.com]

    • First of all the Skype updater is part of Skype. Second, Linux has dynamically linked libraries. Not only should this not be marked informative in any way, your entire post is 100% "misinformative."
    • Of course Macs and Linux use DLLs to: dynamic linked libraries do not need to end in *.dll ... e.g. on linux and macs and basically any unix system they end in *.so

  • by Anonymous Coward

    Of course Linux is completely immune to such attacks because LD_PRELOAD is open source.

    Phew. https://www.cs.rutgers.edu/~pxk/419/notes/content/04-injection-slides-6.pdf

    • Oh! Look! The microsoft shills are here!

      are you a regular employee being paid on the clock for this? or are you the property of an astroturfing zoo?

      • Not everyone operates in the US tribal mindset where criticising Tribe A means you're automatically a member of Tribe B. Maybe both tribes have downsides.

        • Man. wow.

          You know. i'm sorry!

          Because instead of meaning "explicitly, because of your criticism of tribe A this you're OBVIOUSLY tribe B!"

          What i meant was "That's an odd analysis, since knowing that ld_preload exists would indicate you have a strong understanding of linux and SHOULD indicate that you understand there's no way to turn that into a suid exploit allowing you to replace system libraries with app libraries. and given the mutually inclusive nature of the two, that you would express the first while

  • it's a IM client with audio/video capabilities, wth

    • by AHuxley ( 892839 )
      PRISM
    • How are you supposed to hide massive security vulnerabilities under the vague guise of plausible deniability if you don't have a giant entrenched pile of garbage as a code base? You thought they kept rotating experienced, ethical developers off the project because of simple managerial incompetence, didn't you? The incompetence story is just more plausible deniability.

    • by swilver ( 617741 )

      It's a huge mess. I can't even get voice/video calls to work through a firewall as it requires like 20 different rules for all sorts of ports -- it's ancient code, written in an ancient time when every new feature required its own port and protocol.

      Compare that with Hangouts or Slack (the client), which just works out of the box without any changes to my firewall.

      Besides, I'm sure 90% of the code is the bolted on library for serving you ads in the middle of your face.

    • by ceoyoyo ( 59147 )

      Who knows about Skype. This is the updater app that has massive code.

  • by fustakrakich ( 1673220 ) on Monday February 12, 2018 @10:15PM (#56112831) Journal

    That way you can be kinda sorta sure the entire thing came from Microsoft, maybe...

    • You seem to misunderstand. The entire thing from Microsoft is the part with the flaw. The way this works is something else would get you infected with malware, which would then leverage Skype's update process to gain administrative access to your system silently.
      • which allows an attacker to trick an application into drawing malicious code instead of the correct library.

        That doesn't sound like it comes from Microsoft. It seems to me that the regular installer takes bits and pieces from here and there to assemble the app on your computer. I don't see that risk if you download the whole chunk from MS. And I don't let it update automatically. I definitely could be wrong, but I still feel better doing my installs from a local file/folder that I know (or think I know) has

      • I have thought for years that Windows would be more secure if Microsoft provided a mechanism by which ISVs could hook into the Windows Update process and use that for program updates. The system could required code signatures to ensure that fakes are not being installed. Microsoft could make some money out of it by selling code signing certificates.

        Obviously, they would have to take care that the ISV hooks could not overwrite any core Microsoft items and perhaps not overwrite any prior ISV hook.

        • by Bert64 ( 520050 )

          And they've finally implemented exactly that, it's called "windows store" and they were the last major os vendor to do so.
          You can't just hook in tho, you have to publish through the store, and that comes with all kinds of strings attached.

          I find it amusing how the app store model is taking off, a few years ago this was one of the most common arguments against linux - the claim was that users want to buy software from a store or download from a random website and they won't like the repository model. Turns o

          • app store censorship needs to go.

          • by AmiMoJo ( 196126 )

            It's not really the app store they care about, that's just a way of making getting what they really want more convenient. And what they want is Microsoft Word and Excel, YouTube, Facebook and Maps.

            Geeks like us hate all that. We see it as bloatware, crap we don't want rammed in our faces. But for ordinary users it's exactly what they want. They don't care about your repo with 57 different IRC clients and 9 versions of Firefox with slightly different licence terms. They want Skype and WhatsApp, because that'

    • by Rockoon ( 1252108 ) on Monday February 12, 2018 @11:42PM (#56113115)
      The issue as I understand it is that a bit of nefarious code running in user scope can take these steps:

      1) drop a properly named nefarious dll in a tmp directory
      2) alter the userspace path environment variable that will cause skypes updater to search this folder first for that properly named nefarious dll
      3) launch the skype installer which will then load the nefarious dll into a super user scope
      • Parent should have been the description in the /. story.

        • by MobyDisk ( 75490 )

          agreed! Why are 95% of Slashdot submissions simple cut-and-pastes? Instead, we should be tailoring the summary to the geek audience.

      • Didn't Word etc have the same bug, about five years ago?

        DLL preloading attack was what it was called. You could drop a Word document into the same directory with a malicious DLL file, and if you double-clicked that document, Word would load the DLL instead of the system one.

        If your program doesn't pass a fully qualified path to LoadLibrary/LoadLibraryEx... well, it uses the system path to search for it.

  • by Archfeld ( 6757 ) <treboreel@live.com> on Monday February 12, 2018 @10:18PM (#56112841) Journal

    If you can't fix the issue then let us have the option to remove the POS. Ever since they jammed the crappy product down my throat wished I could remove it, now would be a good time.

    • If you can't fix the issue then let us have the option to remove the POS.

      Ever considered uninstalling it?

      • by Archfeld ( 6757 )

        More than considered it, spent several hours researching and attempting it but much like cancer it grows back and is deeply rooted in the both the system and the browser.... I'd gladly do away with windows but the employer uses HR software that only runs on Windows 10 and Hotmail for required MS support purposes.

        • Interesting. Just right clicking Skype on the start menu and clicking Uninstall seems to do the trick just fine too. There's nothing deep about it. It's a standard UWP app.

          • by Archfeld ( 6757 )

            Perhaps skype imbedded in Internet exploiter is different from the installed version. I do not have an installed version but rather the imbedded version in the outlook mail client I am required to keep for work. But just go on assuming you know everything about everything. It seems to have served you well to this point...

    • My hatred of Skype is second only to that of One Drive. Though I've somehow maintained a $10 account balance on Skype by logging in once every couple of years.
  • by Anonymous Coward

    Skype turned into a huge turd when Microsoft touched it.

    It took 6 attempts to get a call through without having either side sound like either donald duck, or mickey mouse. Then of course, you need to make sure your 100/100 internet connection is fast enough, or you get the dreaded "poor quality connection"...

    I fixed skype by uninstalling it and using google hangouts.

  • by ChodaBoyUSA ( 2532764 ) on Monday February 12, 2018 @10:45PM (#56112949)
    Could they just static link the libraries to avoid the use of DLLs until the replacement is ready?
    • Re:Static Link? (Score:5, Informative)

      by Cassini2 ( 956052 ) on Tuesday February 13, 2018 @12:39AM (#56113335)

      While officially Microsoft supports static linking, in practice, it is necessary to use DLLs in many situations. The Microsoft official answer is at: Extension DLLs [microsoft.com]

      The practical reasons that I have been forced to use DLLs are:

      • 1. If you want your application to upgrade smoothly over the years, you have to use either the DLL calls or the windows system calls and avoid the statically linked C libraries. For instance, when the times and dates for daylight savings time change, only the windows calls get updated automatically. The statically linked libraries don't get updated. DLL libraries get updated when the DLL gets updated (which can lead to DLL Hell, but that is another story.)
      • 2. If you have an application that allocates memory in one DLL and frees it in another, then it is vital that the library that does the memory management be a DLL. Otherwise, each DLL has it's own statically linked memory mapping library, and they don't know about each other's allocations.
      • 3. (2) applies to applications that use new and delete. It also applies to applications that are ActiveX controls and using IMalloc.
      • 4. Some of the cool Microsoft libraries link to DLLs, so it doesn't matter if you want to use static libraries. You are getting DLLs.
      • 5. Only the really old languages like C++ and QuickBasic supports static linking. I'm pretty sure Visual Basic, C# and .NET all require DLLs.
      • 1. If you want your application to upgrade smoothly over the years, you have to use either the DLL calls or the windows system calls and avoid the statically linked C libraries. For instance, when the times and dates for daylight savings time change, only the windows calls get updated automatically. The statically linked libraries don't get updated. DLL libraries get updated when the DLL gets updated (which can lead to DLL Hell, but that is another story.)

        Normally Microsoft C library hands off to windows to process time. When daylight savings time changes statically linked C libraries do not have to be updated or applications recompiled to take advantage of these changes.

        They have internal logic that can get out of sync however as a practical matter it's a fallback that is never used.

        If you have an application that allocates memory in one DLL and frees it in another

        Then the application is BROKEN.

        then it is vital that the library that does the memory management be a DLL. Otherwise, each DLL has it's own statically linked memory mapping library, and they don't know about each other's allocations.

        GIGO

      • 2. If you have an application that allocates memory in one DLL and frees it in another, then it is vital that the library that does the memory management be a DLL. Otherwise, each DLL has it's own statically linked memory mapping library, and they don't know about each other's allocations.
        Then don't link memory management code into those DLLs ... problem solved, facepalm.

        5. Only the really old languages like C++ and QuickBasic supports static linking. I'm pretty sure Visual Basic, C# and .NET all require DL

    • Probably. Or you could sign the libraries and executables. This is a common type of vulnerability that shouldn't happen, but does, due to laziness, but it is also relatively easy to fix. The summary's claim of a "massive code rewrite" being needed is sensationalist BS.

      • by v1 ( 525388 )

        The summary's claim of a "massive code rewrite" being needed is sensationalist BS.

        It certainly does look that way. Apparently the problem is in the updater. If your UPDATER even needs to be "completely rewritten", I don't see how that could be described as a "massive rewrite".

        MS never wanted skype, they wanted its userbase. Most users don't like the "new look" they gave it anyway. MS is just going to leverage this into a handy excuse to get the current skype users to move over to their own home-grown IM

        • I think I know why they claim a need to rewrite their downloader, it's because of the way the loader does implicit loading of DLLs at process initialization.
          This implicit loading is vulnerable to DLL hijacking , and mitigations like SetDLLDirectory() and such don't help because it happens before any code in their updater gets to run -- even if they use a custom entry point. You can see this yourself by using WinDbg with Loader Snaps enabled , you will see DLL loads occurring before any of your own code get

    • by swb ( 14022 )

      I think at this point application vendors could solve a multitude of problems by providing statically linked applications. Issues like memory and disk space aren't as big of an impact as they once were.

      But I think the reason we won't see a renaissance in statically linked applications is that vendors LIKE the fact that installers get run as privileged users because it lets them snoop the system and install telemetry they couldn't do with a static executable.

      To be sure, there are good arguments against stat

  • This exact same "attack" has been the root cause of dozens of Windows vulnerabilities reported on Slashdot over the past decade.
    EVERYONE should already know about this flaw, so Microsoft has no right to act like it didn't know about the flaw when they purchased Skype.

    If any program allows downloads to its %PATH%, then it's 100% vulnerable to this exploit.

    p.s. This is also the reason you should never launch an installer from the download directory for your web browser. (Yes, that was also a story on /., but

  • Last time I checked a complete rewrite is not necessary at all. Sometimes a one liner [microsoft.com], e.g. SetDllDirectory(""), is more than enough.
  • Circle jerk (Score:5, Interesting)

    by duke_cheetah2003 ( 862933 ) on Tuesday February 13, 2018 @01:18AM (#56113471) Homepage

    What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client.

    Man I gotta hand it to whomever at Microsoft actually convinced their boss to go this route. There was a MSN messenger once, you know, Microsoft's IM client, they dumped it and bought Skype. Now they're dumping Skype for inhouse MSN messenger 2.0? Hahahahaha nice job.

    • Hahahahaha nice job

      Yes it is. Think about this for a second. Some of the biggest improvements to OSes have come from major re-writes. This isn't a big deal for a software company as much as it is business as usual.
      Likewise some of the biggest purchases and acquisitions have had zero to do with software. Software is just some code anyone can write. You think a couple of guys in Estonia could do something Microsoft couldn't? The reason Skype was purchased was IP + userbase. This IP+userbase was merged with the existing IP+userb

  • Adobe, Java, Skype runs 24/7 update processes that I keep just killing and they keep coming back. I do all my normal work on a normal user account, which means these programs fail trying to auto install updates because on my Windows 7 Pro box they do not have permissions.

    These programs are a plague that expects their users to run their computers (as admin) on a day to day basis. They encourage poor security habits.

    When I get irked about the constant pop ups and threats I will log out of my user account
  • ...they can damned well reinstate the API used by the Netgear Skype DECT phone I paid a shitload for. The one that says "Skype certified" on it. >:(

  • What Else ? Whatsapp, Line, WeChat, Zoom, Hermit, other?
  • What Else ? Whatsapp, Line, WeChat, Zoom, Hangouts, Hermit, other?
  • Skype was unique when it was new. A simple to use, easy tool for voice and text chat. And one that can even do phone calls if you so please. People jumped onto it because, well, it was the only one.

    Fast forward to today when this monopoly situation ain't so true anymore. Considering how Skype refuses to play nice with any of the other kids in the communication and messenger pool, insisting on being a special little snowflake that nobody may touch with their grubby paws, Skype is pretty much the tool you use

  • Should be noted that the bug requires that the attacker can write a DLL to your file system. So the user already needs to be downloading random DLLs, be a multi-user system or some other software needs to be exploited to write a DLL.

    For a typical home PC this bug doesn't seem like a particularly problematic issue.

news: gotcha

Working...