A security flaw in the Skype update process could allow an attacker to gain system administrator privileges.
The error can give a local user no privileges, full "system" rights - giving him access to virtually every function of the OS.
However, Microsoft, which is behind the service, said that it will not immediately correct the defect, because it requires too much work….
X X X X X X X X X X X X X X X X better safetyς Stefan Kanthak found that the Skype update installer could use with a DLL breach technique, which allows an attacker to trick an application into adding malicious code instead of the correct library.
An attacker can download a malicious dll to a user-accessible temporary folder and rename it to an existing DLL that can be modified by a non-administrative user, such as UXTheme.dll.
The error works because the malicious DLL is the first thing the application finds when it searches for the DLL it needs.
Once installed, Skype uses its own built-in updater to keep the software up to date.
The researcher even clarified that the attack is very easy in Windows, but it is not limited to Windows. According to Stefan Kanthak and what he mentioned on ZDNet, the attack can be implemented on Mac and Linux systems.
Needless to say, once the attacker has acquired "system" privileges, he can do anything.
Kanthak informed Microsoft of the bug in September, but the company said a new patch would require updater to go through "a major code overhaul."
The company said that although its engineers "were able to reproduce the issue," the fix will come "in a newer version of productand not with a security update”.
The company also said it has "all the resources" to develop an entirely new one client.
Note that Skype is an application that runs at the same privilege level as the logged-in user, which makes it difficult for attackers if the logged-in user is not an administrator. The specific vulnerability but it makes the application very dangerous.
- Microsoft: Terminate optimizers who terrorize 1 in March
- Voksi Cracker of Denuvo offers assistance free of charge