Quick Heal Security Labs has recently learned about a serious vulnerability in Skype’s update installer – that’s the bad news. The worse news is, Microsoft is not going to patch the vulnerability anytime soon as this would require the updater to go through a ‘large code revision’.
What is this security flaw about?
Security researcher, Stefan Kanthak, discovered the vulnerability back in September 2017. He had found that this flaw can be exploited with a DLL hijacking technique, which tricks Skype into using a malicious code instead of the actual Microsoft’s code.
This is not the first time when Skype has had a security issue. Back in June 2017, a critical flaw in the messaging service was revealed that could allow hackers to crash systems and execute malicious codes in them. This was later fixed by Microsoft.
Skype is among those applications which use the common open-source framework used in applications called ‘Electron’. Electron was later found to be having a critical vulnerability thus making Skype vulnerable too.
According to Stefan Kanthak, this vulnerability is not specific to Microsoft’s desktop OS and that Mac and Linux users are also potentially vulnerable to the DLL hijacking technique.
It is important to note that, this vulnerability affects the Skype for the desktop app and not the Universal Windows Platform app that comes bundled with Windows 10 PCs as these apps have their own update installers which are vulnerable to the DLL hijacking technique.
How severe is the flaw?
The security flaw can allow attackers to gain system-level-privileges. This means that attackers can gain complete control of the affected system and carry out all sorts of malicious stunts such as deleting personal files, stealing sensitive information, holding data hostage by running a ransomware or installing malware on the PC.
As this flaw is not limited to Windows and can affect Mac and Linux users too, it serves as a large window of opportunity for attackers.
Microsoft has stated that the flaw needs a massive revision of the code which is impractical as of now. They will be fixing the flaw in a future version of the app; the release dates of this version are not available yet.