Skype is unable to fix a security flaw that enables attackers to gain system level privileges of an affected computer without committing a massive code rewrite. Security researcher has revealed that a potential attacker could exploit the "functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories (e.g., System32)." If an attacker exploits this preferential search order, they can make the loading process load the their own rogue DLL rather than the legitimate DLL.
Once this malicious DLL is installed, Skype's own updater will run and use another executable file to keep the software up to date, which is vulnerable to the hijacking. Speaking to ZDNet, security researcher Stefan Kanthak - who first discovered this Skype update installer hijacking bug - said that "the attack could be easily weaponized."
He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.
Skype security bug has been rated medium, but researcher suggests it could be easily weaponized
This Skype security flaw only affects Windows systems and has been rated as "medium" in severity. Kanthak said that the attacker needs medium level of expertise to create a malicious DLL and get it to the right location on the victim's file system.
However, fixing this Skype security bug may prove to be more than a headache for the company. In the proposed mitigations, security researcher suggests:
Design: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are expected.
Design: Sign system DLLs so that unauthorized DLLs can be detected.
The bug can enable a local unprivileged user to the full system level rights, which means they can get total control of the OS. However, Microsoft told Kanthak that the company can't immediately fix the issue. The Redmond software giant was informed of this attack back in September and could also reproduce it. But it told the researcher that the fix would need "a large code revision" and will be released with a newer version of Skype instead of through a security update.
- We have reached out to Microsoft to learn more about this issue and will update this space.