Categories
Microsoft News security Software

Security researchers locate vulnerability in Skype installer

This might be something that Microsoft wants to look into and fix.

The current version of Skype feature a security flaw that could let an attacker gain control of Mac, Windows, and Linux computers. The company has stated that it isn’t planning on fixing the flaw, at least for now, because it amounts to rewriting the entire app update installer.

The security flaw is in the app update installer, and if exploited, could let attackers gain administrator level access even if the victim is logged into their computer as a standard user. From there, they can copy and delete files, install other apps, access personal information, and more.


Microsoft was made aware of the security hole in September of 2017 and has been able to reproduce it on their own computers according to security researcher Stefan Kanthak:

The engineers provided me with an update on this case. They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update. The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated.

The security notes refer to a Windows-specific DLL injection vulnerability that has lead to the need for an entire code rewrite, which Microsoft seems unwilling to do at this point in time. As such, the auto-updater in the current version of Skype poses a security risk should someone decide to exploit it.

Stay tuned for additional details as they become available

Via The Mac Observer and seclists.org