A prominent security researcher has uncovered what he claims is a critical vulnerability in Microsoft's Skype application, which is now part of Office 365. However, he adds that the company isn't interested in patching the flaw.
According to security specialist Stefan Kanthak, Microsoft has failed to address the security flaws in the Skype updater process.
If a hacker successfully crafts an exploit to take advantage of the vulnerability, he claimed, they can get full control of a computer. He described it as a "system-level" security vulnerability.
Essentially, that means that an attacker exploiting the flaw could takeover a user's PC, downloading files, tapping passwords and leaving behind backdoors and other malware.
After conducting a series of tests, Kanthak discovered that the problem affects Skype's update installer. Hackers can exploit it using a common but potentially dangerous DLL hijacking method.
With it, attackers can get applications to write malicious code and distribute it across the Windows operating system. Kanthak explained that attackers would use an unprivileged user such as "UXTheme.dll" to do this .
According to security website CAPEC, attackers can use the method to exploit the "functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories".
It continued: "Exploitation of this preferential search order can allow an attacker to make the loading process load the attackers' rogue DLL rather than the legitimate DLL.
Kanthak said: "An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in '%SystemRoot%\Temp\' gains escalation of privilege to the SYSTEM account."
He described Microsoft as taking a lackadaisical approach to the issue. The tech giant, he suggests, is hesitant to issue a security patch because it would simply take too long and involve too much work.
The researcher added: "The [Microsoft] engineers provided me with an update on this case. They've reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update.
"The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client."
In other words, rather than fix the issue now, with a security update, Microsoft is willing to take its chances and only implement a fix later, on a fully updated version of Skype.
Moon's dark side is mountainous, rugged and never visible from the Earth
The groundwater basins in some areas of Tehran have been damaged irreversibly
This is the first time that any spacecraft on Mars has recorded air vibrations on the planet
Arctic sea ice is thickening at a faster rate during winter, thus slowing down long-term decline: NASA
But, the seasonal ice growth could only delay the demise of the Arctic ice cap for a few more decades