Vicious Skype Security Exploit May Require Extensive Code Overhaul

Vicious Skype Security Exploit May Require Extensive Code Overhaul

Microsoft's messaging platform Skype has a vulnerability that could allow the cybercriminals to get the same rights as the logged-in user, and it appears that this security vulnerability won't be fixed anytime soon as the software giant needs to rewrite the code which would be time-consuming. However, the hacker would require physical access to the computer to do this. He described it as a "system-level" security vulnerability.

Essentially, that means that an attacker exploiting the flaw could takeover a user's PC, downloading files, tapping passwords and leaving behind backdoors and other malware.

Skype might be an unsuspecting app to target a user, because the app runs at the same level of privileges at the local, logged-in user, making it hard for attackers to do much with that low level of access. Hackers can exploit it using a common but potentially risky DLL hijacking method. This allows the attacker to trick the app into drawing malicious code instead of from the correct library. Kanthak explained that attackers would use an unprivileged user such as "UXTheme.dll" to do this.

In order to exploit the bug, the attacker first has to drop the DLL file on a system through a malicious site, email and there are many other ways to do that.

He described Microsoft as taking a lackadaisical approach to the issue.

The engineers provided me with an update on this case.

Speaking to ZDNet, Kanthak said that even though Microsoft was able to reproduce the issue, a fix will only arrive "in a newer version of the product rather than a security update", the implication being that patching the issue would require too much work. However, Microsoft mentioned that all the resources have been put toward development of the new client. In their response to him, they said a new version of the Skype client, addressing this issue would be issued and that the current, vulnerable version would "slowly be deprecated".

Related Articles