Skype can’t fix a nasty security bug without a massive code rewrite

A security flaw in Skype’s updater process can allow an attacker to gain system-level privileges to a vulnerable computer. The bug, if exploited, can escalate a local unprivileged user to the full “system” level rights — granting them access to every corner of the operating system. But Microsoft, which owns the voice- and video-calling service, said it won’t immediately fix the flaw, because the bug would require too much work.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library.

Kanthak informed Microsoft of the bug in September, but the software giant said issuing a fix would require the updater go through “a large code revision.” The company told him that even though engineers “were able to reproduce the issue,” a fix will land “in a newer version of the product rather than a security update.” Instead, the company said it’s put “all resources” on building an altogether new client.

Read more about the Skype vulnerability which grants a low-level user access to every corner of the operating system, on ZDNet.

Track the strategic threats to your business with the Threat Brief, delivered to your email daily.

Subscribe Here