Microsoft has confirmed a nasty flaw in Skype that could allow nefarious individuals to gain complete access the OS with system-level privileges on affected machines. To make the issue even worse, Microsoft knows the flaw is there and exploitable, but has no plans for an immediate fix because it would require too much work.
The hack was discovered by security researcher Stefan Kanthak and according to him, the Skype update installer can be exploited with a DLL hijacking technique allowing the application to be fooled into drawing malicious code rather than the correct library the app wants. The exploit would allow the hacker to download the malicious DLL and place it into a user-accessible temporary folder, renaming it to an existing DLL that could be modified by a user lacking privileges.
Once that code was installed, Skype would use the integrated updater to keep the software up to date, and when that updater runs it accesses another executable file that runs the update which is vulnerable to hijacking. That might sound complex, but according to Kanthak the exploit is easy to weaponize and he gave two examples, which haven’t been released.
“Windows provides multiple ways to do it," he said. “Once 'system' privileges are gained, an attacker 'can do anything'."
The escalated privileges would allow the hacker to steal files, delete data, or run ransomware. Kanthak brought the vulnerability to Microsoft’s attention in September and Microsoft noted that the fix would require “a large code revision.” Microsoft said that its engineers were able to replicate the issue and that a fix would come in a new version of Skype and not a security update. Microsoft says it has put “all resources” on building a new client.