A prominent security researcher has uncovered what he claims is a critical vulnerability in Microsoft's Skype application, which is now part of Office 365. However, he adds that the company isn't interested in patching the flaw.
According to security specialist Stefan Kanthak, Microsoft has failed to address the security flaws in the Skype updater process.
If a hacker successfully crafts an exploit to take advantage of the vulnerability, he claimed, they can get full control of a computer. He described it as a "system-level" security vulnerability.
Essentially, that means that an attacker exploiting the flaw could takeover a user's PC, downloading files, tapping passwords and leaving behind backdoors and other malware.
After conducting a series of tests, Kanthak discovered that the problem affects Skype's update installer. Hackers can exploit it using a common but potentially dangerous DLL hijacking method.
With it, attackers can get applications to write malicious code and distribute it across the Windows operating system. Kanthak explained that attackers would use an unprivileged user such as "UXTheme.dll" to do this .
According to security website CAPEC, attackers can use the method to exploit the "functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories".
It continued: "Exploitation of this preferential search order can allow an attacker to make the loading process load the attackers' rogue DLL rather than the legitimate DLL.
Kanthak said: "An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in '%SystemRoot%\Temp\' gains escalation of privilege to the SYSTEM account."
He described Microsoft as taking a lackadaisical approach to the issue. The tech giant, he suggests, is hesitant to issue a security patch because it would simply take too long and involve too much work.
The researcher added: "The [Microsoft] engineers provided me with an update on this case. They've reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update.
"The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client."
In other words, rather than fix the issue now, with a security update, Microsoft is willing to take its chances and only implement a fix later, on a fully updated version of Skype.
In fear of future shortage - or in preparation for its own electric car project?
New Spectre microcode patches released by Intel to fix security flaws in Skylake, Kaby Lake and Coffee Lake CPUs
But if you're running anything older you'll have to wait
Powered by servers based on Qualcomm's scalable 48-core Centriq 2400 10nm CPUs
Malware has been in circulation for more than a year