A critical security flaw has been detected on Skype’s updater process on macOS and Windows that could allow attackers system level access if channelised the wrong way.
As explained by ZDNet in a report, the bug can be used to escalate an unprivileged user to gain complete ‘system’ level rights, allowing user to access every corner of the operating system.
Microsoft, the owner of Skype, however, states that the flaw cannot be immediately fixed because it would require “too much work”. The report stated that it would require Microsoft to revise the code for Sykpe to completely deal with the bug which involves DLL injection.
The bug was found by security researcher Stefan Kanthak who spotted that the update Installer can be exploited using a DLL hijacking technique. The attack is a little cumbersome to execute but can be run on macOS and Linux systems as well says Kanthak.
Once the attacker gains ‘system’ privileges, he/she “can do anything,” Kanthak told the publication. “System’ is ‘administrator’ on steroids. From there, an attacker could steal files, delete data, or hold data hostage by running ransomware,” he added.
Kanthak had alerted Microsoft of the bug back in September when Microsoft responded saying that they were aware that DLL injection was possible since their engineers were also able to reproduce the findings.
The company said that rather than addressing the issue with a security update, it will release a fix with a newer version of the client while the current version “will slowly be deprecated.”