Face-to-face video conversations with people halfway across the globe used to be strictly a science fiction concept. Who would’ve ever thought that services like Skype will bring this technology to the general public? It’s amazing to think that Star Trek and Back to the Future style TV conversations are now so commonplace.
It’s so commonplace that Skype is an essential video chat platform for millions of people. If you’re setting up an online video chat, there’s a good chance that you will use Skype. It’s a name that’s so synonymous with video chatting, that “Skyping” is now an accepted term.
However, whenever services like these get popular, cybercriminals will always look for software holes they can exploit. It’s up to the software maker then to patch them as soon as they can.
This is why this newly revealed Skype flaw is something you need to know about and why we won’t be getting a patch anytime soon.
Skype security flaw
The flaw I’m talking about is the security bug in Skype’s update process. It’s so critical that if exploited, a hacker can take full control of your computer.
The flaw was discovered by security researcher Stefan Kanthak and he said that all it takes is a simple DLL file hijacking trick.
Note: DLL means “Dynamic Link Libraries.” These are important Windows system files that programs use for instructions.
Basically, all an attacker has to do is download a fake DLL file into a user-accessible temporary folder (for example,%SystemRoot%Temp) then rename it to an existing DLL file that can be accessed by anyone (for example, UXTheme.dll).
Because of how Windows Search works, once the DLL is switched, any app that searches for that particular DLL file will find the fake one in the Temp folder first.
Now, when Skype updates itself, it uses a separate program to run the update. This update program is vulnerable to the DLL hijacking. An attacker can then exploit this flaw to load malicious code and gain full control of a Windows machine.
With system-wide privileges gained, an attacker can then do all sorts of nasty stuff including steal files, delete files and install more malware like ransomware.
Why Microsoft won’t fix it
Kanthak stated that he has already informed Microsoft of the bug in September but the software giant said that it will not patch the issue since it will require a “large code revision.”
Although Microsoft engineers were able to replicate the exploit, they consider it a low-risk threat and the fix will be included in a “newer version of the product rather than a security update” instead.
Microsoft said that it’s putting all of its resources on building a “new client.” So this means we will have to wait for the next major update of Skype before this bug will be dealt with.
When will Microsoft release this brand new Skype client, though? Currently, the timeline is still not known.
In the meantime, follow the usual computer security precautions and you should be fine.
Be careful with links and files and programs that you download or install nor should you plug in unknown USB drives. Always lock your computer when not in use. Stay away from sketchy websites and online ads. Use a “standard” account and not an “admin” account for everyday use. Have strong anti-virus software and a secure backup of your files (such as IDrive.)
In other news, U.S. intelligence agencies warn against using this Chinese smartphone
When it comes to the world of smartphones, your first decision might be the toughest. That is whether you want to be an Apple or Android user. If you go with Android, you will have tons of phone manufacturers to choose from. However, U.S. intelligence agencies are warning consumers against using one Chinese brand in particular.