Skype security bug requires major rewrite

综合技术 HEXUS

There is a security issue with Skype that is so problematic that it will require a major rewrite of the app, reports ZDNet . Microsoft has known about the bug, since at least September, and can reproduce the issue. However fixes will be delivered in a new version of the Skype client rather than an update as it is “too much work,” to complete the bug fix now, says the source. While we wait, the bug could be exploited to escalate “a local unprivileged user to the full ‘system’ level rights – granting them access to every corner of the operating system”.

Behind the security issue is an exploit technique called ‘DLL hijacking’. Here’s how it is possible:

  • An attacker downloads a malicious DLL into a user-accessible temporary folder
  • The attacker renames the DLL to one that can be modified by an unprivileged user, like UXTheme.dll
  • The malicious DLL is found first when the Skype updater app searches for the DLL it needs during update

ZDNet explains that Skype has its own built-in updater and when it runs it uses another executable file to run the update, which is vulnerable to the hijacking.

While the attack is described as “on the clunky side,” it could nevertheless easily be weaponised, insists Security Researcher Stefan Kanthak . For examples Kanthak supplied two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder. He went on to remind the reporter that DLL hijacking isn’t limited to Windows systems, Macs and Linux systems are vulnerable too.

If exploited successfully the bug is rather serious. With ‘system’ privileges gained, an attacker “can do anything,” Kanthak said. However Microsoft isn’t rushing to fix this, as mentioned in the intro. Microsoft does say that it has put “all resources” into building an altogether new client. Remember this is a potential threat from local unprivileged users – not unknown remote hackers.

HEXUS稿源:HEXUS (源链) | 关于 | 阅读提示

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 综合技术 » Skype security bug requires major rewrite

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录