Microsoft: We Aren’t Always Lazy… That Unfixable Skype Bug? We Fixed That in October!
On February the 13th, we reported a Skype bug that a security researcher had suggested required Microsoft to rewrite code to get it addressed. Security researcher, Stefan Kanthak, had also said that "the attack could be easily weaponized." We had written to Microsoft for a clarification on that claim, and while it took Redmond software giant a couple of days to respond to this public disclosure, it appears the company was at least prompt where it counts.
In a statement to Wccftech, Microsoft spokesperson said that the bug was actually fixed back in October and doesn't affect latest Skype versions.
There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower. The issue was in the program that installs the Skype software – the issue was not in the Skype software itself. Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website skype.com.
In short, if you are running version 8, you are NOT affected. The bug only affects Skype for Windows versions 7.40 and lower. v8, which brought the fix, was released back in October. Microsoft reemphasized that the current version isn't vulnerable to this problem regardless of what the security researcher suggested.
The installer for the current version of Skype for Windows desktop (v8) does NOT have this issue, and it has been available since October, 2017.
Kanthak, a German security researcher, had informed Microsoft of the issue back in September. He was told that the fix will require a "large code revision." It seems Redmond forgot to update the person responsible for the discovery that the bug was being fixed. Kanthak appears to have believed that the code revision was never done, which drove him to reaching out to media for bug disclosure.
At the end, it's all good news for the end users and IT admins as they have one less bug and one less update to worry about. But security researchers, while everyone appreciates your hard work, please confirm if the bug's been addressed before adding into the alert fatigue. As for Microsoft, please to update people who are actually helping you to fix bugs?