Microsoft has confirmed that Skype is currently experiencing a security flaw that can endow attackers with system-level privileges, something which is often reserved for the operating system exclusively. Unfortunately for users of the communication platform, it looks like the company isn’t planning on fixing it at all, instead opting for an entirely new build.
Security researcher Ftefan Kanthak uncovered the bug, who explained that the issue is attributed to the Skype automatic update function which can be altered to trick the application into allocating permissions by drawing incorrect code.
“They've reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update,” explains Kanthak regarding his contact with Microsoft. “The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client.”
Microsoft has yet to reveal when it will roll out the new client, but it has addressed the issue in a statement to Engadget. “We have a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our Update Tuesday schedule.”
Despite it sounding intimidating that someone can gain access to System permissions, it doesn’t seem that Microsoft is particularly concerned with the bug as the hacker would require physical access to the computer to perform the actions required. It is also only limited to the full Skype program on desktop, meaning users of the Universal Windows Platform (UWP) application should be fine.
KitGuru Says: It’s possible that Microsoft is lax on fixing the issue simply because this promotes its dreadful UWP app in a better light, but I still maintain that the desktop version is my preference despite the vulnerability. Do you still use Skype? What version do you use?