Skype bug could allow malicious attacker ‘system’ level access, Microsoft says fix is ‘too much work’ and will rebuild Skype for Windows instead

A critical security flaw has been detected on Skype’s updater process on macOS and Windows that could allow attackers system level access if channelised the wrong way. The flaw was first discovered on February 9 by security researcher Stefan Kanthak.  This critical Skype bug could allow a malicious attacker to gain “system” level access, if exploited. The bug is applicable on both macOS and Windows desktop platforms. However, according to a report from ZDNet, Microsoft said it won’t immediately fix the flaw, because the bug would take “too much work,” stating that it would require a full rewrite of the application to fix the bug.

Kanthak sayid that the Skype updater can be maliciously modified to trick an application into drawing the wrong DLL library on Windows by creating and renaming a DLL to one Skype would access, then replace it with the original file. Even though DLL’s don’t exist on macOS, Kanthak says that it’s still possible on macOS or Linux. Once system access is granted, it “can do anything” he says. Microsoft says instead of issuing a security update, Skype will undergo a major revision later in which the bug will get fixed. This was after the company told Kanthak that its engineers were able to reproduce the bug.

Below is the email from Stefan Kanthak:

From: “Stefan Kanthak” <stefan.kanthak () nexgo de>
Date: Fri, 9 Feb 2018 19:01:40 +0100
Hi @ll,

since about two or three years now, Microsoft offers Skype as
optional update on Windows/Microsoft Update.

JFTR: for Microsoft’s euphemistic use of “update” see
<http://seclists.org/fulldisclosure/2018/Feb/17>

Once installed, Skype uses its own proprietary update mechanism
instead of Windows/Microsoft Update: Skype periodically runs
“%ProgramFiles%\Skype\Updater\Updater.exe”
under the SYSTEM account.
When an update is available, Updater.exe copies/extracts another
executable as “%SystemRoot%\Temp\SKY<abcd>.tmp” and executes it
using the command line
“%SystemRoot%\Temp\SKY<abcd>.tmp” /QUIET

This executable is vulnerable to DLL hijacking: it loads at least
UXTheme.dll from its application directory %SystemRoot%\Temp\
instead from Windows’ system directory.

An unprivileged (local) user who is able to place UXTheme.dll or
any of the other DLLs loaded by the vulnerable executable in
%SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM
account.

The attack vector is well-known and well-documented as CAPEC-471:
<https://capec.mitre.org/data/definitions/471.html>

Microsoft spokesperson later made the following statement. “We have a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our Update Tuesday schedule.​”