Microsoft cannot fix Skype bug without huge code revision
Cybersecurity analysts report about Skype vulnerability which allows hackers to gain access to computer's system account[1]. The bug resides in application's automatic update feature and would require a massive code rewrite which is not only time-consuming but expensive as well. Likewise, it is more likely that Microsoft will need to issue a new version of Skype rather than simply patch the bug.
According to Stefan Kanthak, a security researcher says that the vulnerability which is present in Skype's update service could be exploited to get full access to the user's chat[2]. This puts the privacy of Skype users at risk since not only private information could be exposed but also misused for phishing purposes or blackmail. Now crooks are more motivated than ever to update Skype virus.
DLL hijacking technique helps criminals exploit the vulnerability
The technique called DLL hijacking refers to the replacement of legitimate Microsoft library with the malicious one. An attacker needs to infiltrate the malicious DLL file onto victim's computer and rename it exactly the same as the original one[3]. This way, the application would search for the library and find malicious DLL file first.
Every time Skype launches it checks for updates automatically. Once it ran the updater, it would use a different executable file and which is precisely vulnerable to DLL hijacking. Even though some criminals might struggle to drop the malicious DLL file on the targeted computer, there are many ways how it may be done.
While sending spam emails with infected attachments or loading DLL through shady websites is an option, IT specialist explains that there is an easier way — a malicious script or malware could remotely transfer DLL file into a temporary folder as well[4].
Microsoft chose to release a new version of Skype rather than a simple patch
Microsoft has confirmed that fixing the bug was possible. However, the software giant pointed out that it would require too much work[5]. Researcher specified the nature of the work as a huge code revision to fix the bug which would be time-consuming.
However, Microsoft said that it's releasing an update anyway which will now be accompanied by a new version of Skype. It is evident that the company is not going to eliminate the vulnerability despite the fact that users are currently at risk. It means that criminals still have a chance to steal and delete data or infiltrate ransomware on the targeted Windows computers.
- ^ Anthony Caruana. Skype Security Is Borked And Hard To Fix. Lifehacker. Tips, tricks and downloads for getting things done.
- ^ Chris Merriman. Microsoft won't plug a huge zero-day in Skype because it'd be too much work. TheINQUIRER. News, reviews and opinion for tech buffs.
- ^ Mayank Parmar. Microsoft might not fix Skype vulnerability in the immediate future. Windows Latest. Your Source for all things Microsoft.
- ^ Zack Whittaker. Skype can't fix a nasty security bug without a massive code rewrite. ZDNet. Technology News, Analysis, Comments and Product Reviews.
- ^ Bogdan Popa. Microsoft Not in a Rush to Fix Skype Bug Exposing Users. Softpedia. Latest News & Reviews.