Critical bug in Skype is forcing Microsoft to issue an all-new version of Skype

A bug in Skype’s updater process can let have attacker to gain full system level access.

skype calling app

A critical vulnerability has been discovered in Skype that could potentially allow attackers to gain rights granting system-level privileges to a local, unprivileged user.

Microsoft, which owns the voice and video-calling service, said it won’t immediately fix the flaw, because the bug would require too much code rewrite.

Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking.

The vulnerability has been discovered and reported to Microsoft by security researcher Stefan Kanthak and resides in Skype’s update installer, which is susceptible to Dynamic Link Libraries (DLL) hijacking.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which can allow an attacker to bluff an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user. The bug works because the malicious DLL is found first when the app searches for the DLL it needs.

Once system-level privileges are gained, an attacker can do anything, Stefan Kanthak said.

Instead, the company

More on https://capec.mitre.org/data/definitions/471.html

http://seclists.org/fulldisclosure/2018/Feb/33