Engadjet.com
A major bug is forcing Microsoft to rebuild Skype for Windows
The fix will land with a new version of Skype, rather than a security update.
Rachel England, @rachel_england
02.14.18 in Security
38 Comments
1760 Shares
X
Skype has fallen foul of a security flaw that can allow attackers to gain system-level privileges to vulnerable computers, Microsoft has confirmed. However, the company won't immediately fix the issue because doing so would require a complete code overhaul. The bug was discovered by security researcher Stefan Kanthak, who says the Skype update can be tricked into loading malicious code instead of the right library. An attacker would simply need to put a fake DLL into a user-accessible temporary folder, with the name of an existing DLL that could be modified by anyone without system privileges. Anyone trying to hijack your PC would need access to your file system obviously, but according to Kanthak, once system access is granted, an attacker "can do anything". However, the hacker would require physical access to the computer to do this.
Kanthak told Microsoft about the vulnerability -- which could let hackers steal files, delete data or run ransomware -- back in September, and the company acknowledged a fix would require "a large code revision". Speaking to ZDNet, Kanthak said that even though Microsoft was able to reproduce the issue, a fix will only arrive "in a newer version of the product rather than a security update", the implication being that patching the issue would require too much work. Microsoft said it's put "all resources" into building a new client, but has not revealed when that's likely to land. We've reached out to Microsoft for comment.
Update: A Microsoft spokesperson gave us the following statement. "We have a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our Update Tuesday schedule."
Update 2: This story originally stated that an attacker needs physical access to a PC to take advantage of this flaw. This has been corrected to state the attacker simply needs access to the file system. Wording has also been updated to clarify that Skype is the app being tricked into loading malicious code.
Via: ZDNet
In this article: AOLoriginals, bug, dailyshow, data, engadget, EngadgetToday, EngadgetVideo, entertainment, gear, hackers, Microsoft, ransomware, security, Skype
1760 Shares
Popular Conversations
38 Comments
Sign In
EU: Facebook and Twitter must do more to protect users
5m ago in
Security
EU: Facebook and Twitter must do more to protect users
The social networks are not doing a great job of removing illegal content.
By S. Dent
View
Twitter will broadcast local TV news to avoid misinformation
20m ago in
Internet
Twitter will broadcast local TV news to avoid misinformation
It'll partner with local news channels to source video.
By T. Seppala
View
Pandora Premium finally works in your web browser
32m ago in
Services
Pandora Premium finally works in your web browser
After almost a year confined to mobile, Pandora's on-demand music service works on your computer.
By N. Ingraham
View
Google's Project Fi now covers 170 countries with international data
32m ago in
Mobile
Google's Project Fi now covers 170 countries with international data
You can also check whether you're covered through the carrier's app.
By J. Fingas
View
Russia denies UK claim it was behind NotPetya cyberattack
54m ago in
Security
Russia denies UK claim it was behind NotPetya cyberattack
UK government says the attack was 'almost certainly' down to Russian military.
By R. England
View
More Stories
Follow Us
© 2018 Oath Tech Network Aol Tech. All rights reserved.
Reprints and Permissions
Privacy Policy
Terms of Use
Trademarks
Advertise
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment