Microsoft Skype was one of the pioneers of VoIP. While its popularity diminishes throughout the years, it's still having a solid amount of fans.
But it has been discovered that Microsoft had something it failed to see.
Security researcher Stefan Kanthak found that an update to the software can be tricked into loading malicious code instead of the right library. The bug resides in the automatic updater for the Windows desktop app which has a vulnerability that allows malicious .dll to run.
To exploit it, the only thing an attacker needs to do, is simply put a fake .dll library file inside a user-accessible temporary folder, with the name of an existing file that could be modified by anyone without system privileges.
Kanthak explained that attackers would use an unprivileged user such as UXTheme.dll "or any of the other DLLs loaded by the vulnerable executable in '%SystemRoot%\Temp\' gains escalation of privilege to the SYSTEM account."
Once system access is granted, an attacker "can do anything," including stealing files, tapping passwords, download and delete data, or installing all sorts of malware.
The bug is only limited to the full Skype program on desktop, meaning users of the Universal Windows Platform (UWP) application should be fine.
Microsoft has confirmed the bug. The company acknowledged a fix is required, however that fix would be "a large code revision." What this means, it won't immediately fix the issue because doing so would require a complete code overhaul.
Kanthak said that Microsoft was able to reproduce the issue, but a fix will only arrive "in a newer version of the product rather than a security update". This implied that patching the issue is too much work for Microsoft. This is because there is so much code to be rewritten that it isn't worth for Microsoft to begin with.
Instead, the company would put "all resources" into building a new client.
According to the company's spokesperson, "We have a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our Update Tuesday schedule."