Responsible Disclosure: You Lost 5 Months of Pwning Corporate/Government Computers

Skype can’t fix a nasty security bug without a massive code rewrite by Zack Whittaker.

From the post:

A security flaw in Skype’s updater process can allow an attacker to gain system-level privileges to a vulnerable computer.

The bug, if exploited, can escalate a local unprivileged user to the full “system” level rights — granting them access to every corner of the operating system.

But Microsoft, which owns the voice- and video-calling service, said it won’t immediately fix the flaw, because the bug would require too much work.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs.

Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking.

Impact of responsible disclosure?

Microsoft sat on its ass for over five months, five months you could have been pwning corporate and government computers, only to say (paraphrase): “It’s too hard.”

It wasn’t too hard for them to completely break Skype for Ubuntu and possibly other flavors of Linux. But fixing a large bug? No, let us introduce some new ones and then we’ll think about the existing ones.

Most corporations and governments maintain secrets only by lack of effort on the part of the public.

Give that some thought when deciding how to spend your leisure time.

Comments are closed.