Microsoft won't immediately fix a vulnerability in its Skype for Windows app

Adjust Comment Print

Microsoft's Skype for Windows desktop app appears to be suffering from a pretty serious vulnerability, one that the company won't immediately fix. He described it as a "system-level" security vulnerability.

The security flaw can be exploited even if the victim is logged into their computer as a standard user.

Skype might be an unsuspecting app to target a user, because the app runs at the same level of privileges at the local, logged-in user, making it hard for attackers to do much with that low level of access. Skype was not something that hackers used to be interested in but it seems that has changed.

Читайте также: Bristol Palin's short marriage is over, reports say

There's a gaping hole in Skype's update installer which could potentially allow an attacker to gain full control over the host machine, and what's more, this isn't something Microsoft can patch against right now, with the software giant having to put off the fix until a future version of the Skype app is rolled out. Kanthak explained that attackers would use an unprivileged user such as "UXTheme.dll" to do this. Security researcher has revealed that a potential attacker could exploit the "functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories (e.g., System32)". If an attacker exploits this preferential search order, they can make the loading process load the their own rogue DLL rather than the legitimate DLL.

He described Microsoft as taking a lackadaisical approach to the issue.

The researcher added: "The [Microsoft] engineers provided me with an update on this case". In the same response, Microsoft promises to develop and ship a newer version of the client. But it said the fix would require the Skype updater go through "a large code revision".

При любом использовании материалов сайта и дочерних проектов, гиперссылка на обязательна.
«» 2007 - 2018 Copyright.
Автоматизированное извлечение информации сайта запрещено.

Код для вставки в блог