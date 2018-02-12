Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite (zdnet.com) 22
ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.
The article indicates that the Updater is the problem, not Skype. The Updater runs in a privileged environment, and is susceptible to loading non-system DLLs. The article says the same can happen on Macs and on Linux except that neither platform uses DLLs nor allows sourcing libraries from local (no-system) directories.
I miss the days when every hacker under the sun would regularily release 0days for free that let you infect windows machines just by sending a skype message. Now you got to pay
:( - or understand russian :)
Of course Linux is completely immune to such attacks because LD_PRELOAD is open source.
Phew. https://www.cs.rutgers.edu/~pxk/419/notes/content/04-injection-slides-6.pdf
it's a IM client with audio/video capabilities, wth
That way you can be kinda sorta sure the entire thing came from Microsoft, maybe...
which allows an attacker to trick an application into drawing malicious code instead of the correct library.
That doesn't sound like it comes from Microsoft. It seems to me that the regular installer takes bits and pieces from here and there to assemble the app on your computer. I don't see that risk if you download the whole chunk from MS. And I don't let it update automatically. I definitely could be wrong, but I still feel better doing my installs from a local file/folder that I know (or think I know) has
If you can't fix the issue then let us have the option to remove the POS. Ever since they jammed the crappy product down my throat wished I could remove it, now would be a good time.
