Microsoft will not be rolling out a fix for a critical Skype vulnerability, which can be exploited to load a malicious DLL library that can be used to give hackers administrative rights in any system.
The bug, which was found in the Skype update service, was discovered by security researcher Stefan Kanthak and promptly reported to Microsoft.
This was in September 2017.
Months later, Microsoft is yet to take any steps to fix the vulnerability. According to sources inside Microsoft, the flawed update service can only be fixed with a “massive code revision.”
This, according to the officials, can turn out to be very time consuming since it will require a complete rewriting of the code.
Since the messaging platform was due for an update, the company has decided to address the security flaw in the upcoming version instead of rolling out a standalone patch.
Bug Allows Hackers to Plant Malicious DLLs
The Skype update service bug, if exploited, can give a hacker admin access to everything including the user’s chats.
To achieve this, a hacker would have to introduce a malicious DLL file to the system, perhaps by sending it via email or planting it on a malicious website.
Once the user runs the update service, the malicious library becomes active. Hackers can then obtain the same administrative rights as the logged in user, making it capable for them to steal information from the PC.
Kanthak confirms that this sort of DLL hijacking poses a threat to Linux and macOS as well. However, as it has always been the case, Windows is by far more vulnerable to this attack vector since the security flaw can be exploited in more ways than one on the operating system.
Vulnerability Yet To Be Exploited In the Wild
So far, there have been no reports of the bug being successfully exploited for anything other than experimental purposes.
Even without verification, it is possible that the vulnerability has not yet been used for malicious intent and the reason for that is that it is not easy to exploit.
As a result, no warnings have been made by Microsoft in regards to the vulnerability. This could also explain their sluggish response to address what is a critical vulnerability in one of the most used messenger services in the world.
This isn’t the first time the messenger platform has been plagued with a vulnerability, however.
Last summer, a critical bug was discovered that would have allowed hackers to write code within systems and even crash them.
A fix was promptly rolled out.
Months later, in January 2018, Skype was listed among messengers that were exposed to hackers due to a weakness in its framework Electron, which is open-source and commonly used in applications.
Evidently, the upcoming Skype client has its work cut out for it.
Microsoft to Skip Standalone Fix
Microsoft have not been very forthcoming with their timelines but it is clear that the vulnerability will not get a standalone patch.
This and a few other of the messenger’s recently discovered bugs are expected to be addressed in the upcoming release, although the tech giant is yet to reveal official dates.
The bug’s discovery completes a trifecta of dangerous vulnerabilities discovered in Microsoft’s messenger service in the span of just a few months.
Microsoft, which has been plagued with various zero-day vulnerabilities for most of last year, continues to suffer from a seemingly insurmountable lack security in a great deal for their systems and apps.
Approaching this latest bug discovery with an all-out clientside upgrade will certainly resolve the issue, but it is not a particularly quick resolution.
Until then, the security flaw is not expected to be particularly troublesome, mainly because it is much harder to exploit.
Users should refrain from updating their Skype messengers until the patched update is rolled out. Customary security measures, such as avoiding malicious websites and spam emails should also be observed.
Should the worst come to happen, the vulnerability will be a dangerous weakness for all operating systems, including Linux and macOS.
But ideally, Microsoft will fix the bug before it comes to that.