Keeping Knowledge Free for Over a Decade

Skype can't fix a nasty security bug without a massive code rewrite

posted onFebruary 13, 2018

by l33tdawg

https://zdnet1.cbsistatic.com/hub/i/r/2018/02/12/9595ebc7-ff4c-48ec-b7c6-589faaf1336a/resize/770xauto/4611bfb70bc59d76ebb17c05f53c786f/skype.jpg

A security flaw in Skype's updater process can allow an attacker to gain system-level privileges to a vulnerable computer.

The bug, if exploited, can escalate a local unprivileged user to the full "system" level rights -- granting them access to every corner of the operating system.

But Microsoft, which owns the voice- and video-calling service, said it won't immediately fix the flaw, because the bug would require too much work.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs.

Source

Tags

Security

You May Also Like

Recent News

Monday, May 21st

France, China, and the EU All Have an AI Strategy. Shouldn’t the US?

A New Look Inside Theranos’ Dysfunctional Corporate Culture

IPv6 growth is slowing and no one knows why

Could You Upload Your Brain?

Why you shouldn't worry about radiation from your Wi-Fi router or iPhone

Asteroid orbiting the wrong way outed as an 'alien'

Apple cracks down on CallKit-enabled apps in China’s App Store

Thursday, May 17th

What Happened to Facebook's Grand Plan to Wire the World?

Google’s Chrome browser to drop secure label for all HTTPS sites

Tel Aviv Stock Exchange plans blockchain securities lending platform

North Korea May Be Secretly Selling Face Recognition Tech Abroad Through Front Companies

Website leaked real-time location of most US cell phones to almost anyone

Monday, May 14th

Critical PGP and S/MIME bugs can reveal encrypted e-mails. Uninstall now

Facial-recognition software inaccurate in 98% of cases, report finds

Tuesday, May 8th

4 Firefox extensions to install now

Bad guys have something new to play with! Microsoft Excel adds support for JavaScript

Equifax reveals full horror of that monstrous cyber-heist of its servers

Ukrainian Securities Regulator To Consider Crypto As Financial Instrument

Red Hat smitten by secure enclaves 'cos some sysadmins are evil

Magical Money - the ICO crypto-currency boom

May Patch Tuesday Fixes Two Bugs Under Active Attack

Sierra Wireless Patches Critical Vulns in Range of Wireless Routers

Google’s ML Kit offers easy machine learning APIs for Android and iOS

Apple: All app updates must support the iPhone X and iOS 11 come July

Saturday, May 5th

How FREE VPNs Sell Your Data

Thursday, May 3rd

Just because you can solve your problems with a blockchain, doesn't mean you should - Zulfikar Ramzan.

North Korea Denies it Hacked UN Sanctions Committee Database

Your Instagram #Dogs and #Cats Are Training Facebook's AI

Cambridge Analytica shuts down after Facebook user data scandal

Wednesday, May 2nd

Industry CMO on the Downstream Risks of "Logo Disclosures"

GitHub Exposed Passwords of Some Users

Apple meets with California DMV officials to discuss autonomous vehicles

Security Trade-Offs in the New EU Privacy Law

Oculus Go review: The wireless-VR future begins today for only $199

Mark Zuckerberg Says It Will Take 3 Years to Fix Facebook

Latest Conference Videos

Join Us On Facebook

Hack In The Box

HITBSecConf On Twitter

Tweets by HITBSecConf

Powered By