[German]Skype has a vulnerability in the update process that allows an attacker to gain system-level access to the system. Microsoft won’t fix this error.
I need to confess, I forgot it. Stefan Kanthak already asked me last week in a mail ‘Should I continue with Skype and its numerous security holes, including the one in their proprietary updater running under SYSTEM account?’. But I have had to many other topics on my desk. But Zack Whittaker covered it (after Stefans Mail) at ZDNet.com.
Skype updater is unsecure
As Stefan Kanthak found out in the above mentioned mail, the updater of Skype runs under the account system, so it has all privileges. At the same time, the Skype update installer can be tricked with a DLL hijacking technique.
This technique allows an attacker to use malicious code instead of the correct library for an application. The attacker can download a malicious DLL to a user-accessible temporary folder. Afterwards, rename this DLL so that it has a name of an unprivileged user modifiable DLL like UXTheme. dll. The DLL hijacking attack works because Windows finds the malicious DLL first when the application searches for the required DLL.
Let’s now turn back to Skype. After installation, Skype will use its own built-in updater to keep the software up to date. However, this updater uses another executable file to perform the update itself. However, this application is susceptible to DLL hijacking.
Kanthak states that Windows provides several ways to perform such attacks (although DLL hijacking is not limited to Windows). Using command line commands, an attacker can use scripts or malware to transfer a manipulated DLL to the temporary folders and rename it accordingly.
If the Skype Update is then started to check for updates, it activates the tool and gets the manipulated DLL signed by DLL hijacking. Since the processes run under the System account, they have full access rights to the system. You can delete, manipulate and encrypt files (Ransomware) or remove data.
Microsoft won’t fix that in Skype client yet
This is where the story gets dirty. Stefan Kanthak informed Microsoft about the bug in September 2017. The response from Microsoft was: Microsoft’s software group could reproduce the security issue. To fix this problem, a major code change to the update mechanism is required. But this doesn’t work in the form of a security update.
Microsoft is currently concentrating all resources in the development of a new Skype client. So it will take time to close this serious security hole. Is there still the question of whether Skype will be targeted by malware attacks again to infiltrate Windows with malware via this vulnerability? Microsoft has not commented on a request from ZDNet.