[German]It's a very unpleasant story: Skype enables the complete takeover of the system by Microsoft under Debian. If a private key is known, the system could be manipulated or malware included. You should not install Skype or install it in an isolated container.
Advertising
The information has reached me a few days now. On seclist.org I came across the security note Skype Debian package: allows complete machine takeover for Microsoft. Enrico Weigelt, Metux IT Consult, already describes the bug there on 25 September 2018, which can be regarded as critical. He describes the problem as follows:
The Skype debian packege for Skype (even when not installed via their
offical repo) automatically installs apt configuration that adds
Microsoft's apt repo to the system's package sources.That way, Microsoft (or anybody holding their repo's private key)
can easily inject malicious packages via regular update and replace
distro packages w/ their own manipulated ones.
A situation that simply cannot be tolerated. Enrico Weigelt then logically suggests that Microsoft remove all apt configuration material from .deb. Until Microsoft reacts, Debian users can only do the following:
a) remove Skype's apt config (sources.list entry as well as the
Microsoft apt key) immediately after installation
b) unpack and repackage it manually (w/o that apt config) before
installation on production machines
c) use apt pinning to restrict the Microsoft repo to only the
package 'skypeforlinux'
c) only install it in a strictly confined container
The last alternative would be to omit Skype under Debian. Under no circumstances should you use the procedure described in this article to install Skype.
Advertising
