A Skype security flaw could allow attackers to gain system-level privileges to vulnerable computers — and because of the work involved, Microsoft won’t be able to issue a security patch right away.
The bug can be found in Skype’s updater process, and will require a “large code revision” to fix. ZDNet was informed of the bug by security researcher Stefan Kanthak. Kanthak said he informed Microsoft about the bug in September, and was told by the company that a fix would arrive in a new version of Skype — not just through a mere security patch.
The flaw in Skype’s update installer can be exploited through use of a DLL hijacking technique, which enables an attacker to insert malicious code that could lead to system access.
What’s The Risk?
Microsoft has confirmed the flaw, according to Engadget. The company gave Engadget a boilerplate sort of statement on investigating security issues. The statement noted that “on issues of low risk, we remediate that risk via our Update Tuesday schedule.” This particular issue doesn’t seem to qualify.
It seems that Windows machines are most at risk — Kanthak said there are “multiple ways” to use this technique in Windows — but Mac and Linux machines are also susceptible.
It’s unclear just how much of an issue this is for Skype users in the near future, but Engadget points out that a hacker would require physical access to the computer to gain full system access — this doesn’t make a fix seem as urgent.
[It won’t fix this bug, but our article How To Increase Your Skype Security offers tips on Skype privacy and encryption.]
No timeline has been given for when Microsoft may issue a new version of Skype with a longterm fix. We would just note that Skype users should keep their computers close by, especially when in public spaces.