A security flaw in Skype’s updater process can allow an attacker to gain system-level privileges to a vulnerable computer.
The bug, if exploited, can escalate a local unprivileged user to the full “system” level rights — granting them access to every corner of the operating system.
But Microsoft, which owns the voice- and video-calling service, said it won’t immediately fix the flaw, because the bug would require too much work.
Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs.
Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking.
The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.
“Windows provides multiple ways to do it,” he said. But DLL hijacking isn’t limited to Windows, he said — noting that it can apply to Macs and Linux, too.
Once “system” privileges are gained, an attacker “can do anything,” Kanthak said.
“‘System’ is ‘administrator’ on steroids,” he added.
From there, an attacker could steal files, delete data, or hold data hostage by running ransomware.
Kanthak informed Microsoft of the bug in September, but the software giant said issuing a fix would require the updater go through “a large code revision.”
The company told him that even though engineers “were able to reproduce the issue,” a fix will land “in a newer version of the product rather than a security update.”
Instead, the company said it’s put “all resources” on building an altogether new client.
Skype might be an unsuspecting app to target a user, because the app runs at the same level of privileges at the local, logged-in user, making it difficult for attackers to do much with that low level of access. To cause any kind of damage of worth, you need to be an administrator or above — like the “system” user.
But Skype has previously fallen victim to malvertising attacks that could open up the system to damage, if this escalation of privilege bug is exploited.
When reached, a Microsoft did not have comment. If that changes, we’ll update.
Contact me securely
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
NSA’s Ragtime program targets Americans, leaked files show
Leaked TSA documents reveal New York airport’s wave of security lapses
US government pushed tech firms to hand over source code
At the US border: Discriminated, detained, searched, interrogated
Millions of Verizon customer records exposed in security lapse
Meet the shadowy tech brokers that deliver your data to the NSA
Inside the global terror watchlist that secretly shadows millions
FCC chairman voted to sell your browsing history — so we asked to see his
198 million Americans hit by ‘largest ever’ voter records leak
Britain has passed the ‘most extreme surveillance law ever passed in a democracy’
Microsoft says ‘no known ransomware’ runs on Windows 10 S — so we tried to hack it
Leaked document reveals UK plans for wider internet surveillance