MICROSOFT HAS said that it won't be rushing to fix a vulnerability in its auto sick messenger app Skype because it's too much like hard work. The exploit would allow the hacker to download the malicious DLL and place it into a user-accessible temporary folder, renaming it to an existing DLL that could be modified by a user lacking privileges. When installing updates, Skype uses another executable for the built-in updater component of the voice and video chat application, and this process is vulnerable to hijacking. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Kanthak told ZDNet that while the attack is "clunky", it can be easily weaponized and that there are multiple ways to go about it.
This Skype security flaw only affects Windows systems and has been rated as "medium" in severity.
The result, if exploited would mean that an ordinary user account would get all the privileges of a SYSTEM user. He also added that other operating systems like macOS and Linux, as well, can be affected in a similar fashion.More news: Senators flag 'unusual' Susan Rice email on Russia probe from Inauguration Day
As the current Skype app would need a large code revision to prevent the above described DLL injection, Microsoft has decided not to fix it.
The company told him that even though engineers "were able to reproduce the issue", a fix will land "in a newer version of the product rather than a security update".
Skype might be an unsuspecting app to target a user, because the app runs at the same level of privileges at the local, logged-in user, making it hard for attackers to do much with that low level of access.More news: Beware of Valentine's Day scams
Microsoft said it put "all resources" into building a new client, but has not revealed when that's likely to land.
If there's a reason why you've never made anyone a SYSTEM user, it's because you can't, you shouldn't, and heaven help you if you do.More news: There Will Probably Not Be a New Assassin's Creed Game This Year