A zero day security flaw in the Skype updater process can be exploited to give an attacker system-level privileges on a vulnerable computer, effectively allowing them access to every part of the targeted operating system. Security researcher Stefan Kanthak discovered the bug last September and promptly reported it to Microsoft who owns the messenger, video and voice calling service. However, Microsoft said it wouldn’t be immediately fixing the flaw as it would require too much work.
The software giant told Kanthak that issuing a patch would necessitate the updater going through a “large code revision”, and instead, a fix would be issued “in a newer version of the product rather than a security update”. The company said it was putting “all resources” into building a new client.
Meanwhile, the Skype update installer is vulnerable to attack. Kanthak identified the installer could be exploited using a DLL hijacking technique, which lets an attacker fool an application into drawing malicious code instead of the right library. A hacker can download a malicious DLL into a user-accessible temporary folder then rename it to an already existing DLL, which can be altered by an unprivileged user, such as UXTheme.dll The malicious DLL is then the first to be found when the app searches for the DLL it needs to run the updater process.
Furthermore, the in-built updater, which Skype uses to keep itself up to date is also vulnerable to the hijacking via another executable file it calls upon to run the update.
Kanthak told ZNet in an email that despite its clunkiness, the attack could be weaponized very easily. He offered two command line examples, showing how a malware or script could remotely transfer a malicious DLL into a user-accessible temporary folder. Kanthak said that while the problem has been isolated on Windows, Mac and Linux updaters are also vulnerable to the zero day.
He described the power of the attacker once system privileges were gained as an “administrator on steroids”. Once on the system, an attacker could delete stata, steal files, or deploy ransomware to hold files hostage.
Microsoft did not issue a comment to the ZNet story.
Last March, Skype was hit by complaints from users about a form of malvertising affecting the app. Ads displayed via Skype were found to serve malicious downloads, which could trigger ransomware if opened.
The “fake Flash” ad was targeted at Windows machines, and pushed a download, which if opened triggered a ‘two stage’ dropper. Ali-Reza Anghaie of Phobos Group said, “It’s effectively the utility component of the malware that then decides what else to do based on the command and control it connects to.”
At the time, Microsoft said the malware-pushing ad was a “social engineering” effort, and denied any responsibility for the problem.