{"id":7293,"date":"2018-10-07T00:55:00","date_gmt":"2018-10-06T22:55:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=7293"},"modified":"2021-02-05T09:43:57","modified_gmt":"2021-02-05T08:43:57","slug":"skype-enables-complete-machine-takeover-in-debian","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/10\/07\/skype-enables-complete-machine-takeover-in-debian\/","title":{"rendered":"Skype enables complete machine takeover in Debian"},"content":{"rendered":"

[German<\/a>]It's a very unpleasant story: Skype enables the complete takeover of the system by Microsoft under Debian. If a private key is known, the system could be manipulated or malware included. You should not install Skype or install it in an isolated container.<\/p>\n

<\/p>\n

The information has reached me a few days now. On seclist.org I came across the security note Skype Debian package: allows complete machine takeover for Microsoft<\/a>. Enrico Weigelt, Metux IT Consult, already describes the bug there on 25 September 2018, which can be regarded as critical. He describes the problem as follows:<\/p>\n

\n

  The Skype debian packege for Skype (even when not installed via their
  offical repo) automatically installs apt configuration that adds
  Microsoft's apt repo to the system's package sources.<\/p>\n

  That way, Microsoft (or anybody holding their repo's private key)
  can easily inject malicious packages via regular update and replace
  distro packages w\/ their own manipulated ones.<\/p>\n<\/blockquote>\n

A situation that simply cannot be tolerated. Enrico Weigelt then logically suggests that Microsoft remove all apt configuration material from .deb. Until Microsoft reacts, Debian users can only do the following:<\/p>\n

a) remove Skype's apt config (sources.list entry as well as the
   Microsoft apt key) immediately after installation
b) unpack and repackage it manually (w\/o that apt config) before
   installation on production machines
c) use apt pinning to restrict the Microsoft repo to only the
   package 'skypeforlinux'
c) only install it in a strictly confined container<\/p>\n

The last alternative would be to omit Skype under Debian. Under no circumstances should you use the procedure described in this article<\/a> to install Skype.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]It's a very unpleasant story: Skype enables the complete takeover of the system by Microsoft under Debian. If a private key is known, the system could be manipulated or malware included. You should not install Skype or install it in … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-7293","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/7293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=7293"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/7293\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=7293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=7293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=7293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}