Author: Justin Pot / Source: howtogeek.com
If the desktop version of Skype is on your Windows computer, you’re vulnerable to a really nasty exploit. A flaw in Skype’s update tool could give attackers full control over your system, and Microsoft says there isn’t going to be a fix any time soon.
Happily, you can avoid the problem completely by replacing the “desktop” version of Skype with the one available from the Microsoft Store. Still, it’s embarrassing for Microsoft’s own software to have a weakness this fundamental, and the exploit in question is one Redmond has warned other developers about multiple times.
Here’s what this exploit works, and how you can make sure you’re using the safe Windows Store version of Skype.
What’s Wrong With Skype?
Updating software is supposed to keep you secure, but ironically in Skype’s case, updating is the problem. That’s because the flaw here isn’t with Skype itself, but rather the tool Skype uses to find and install updates. This update tool is vulnerable to DLL hjjacking, as researcher Stefan Kanthak outlines:
This executable is vulnerable to DLL hijacking: it loads at least UXTheme.dll from its application directory %SystemRoot%Temp instead from Windows’ system directory. An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in %SystemRoot%Temp gains escalation of privilege to the SYSTEM account.
Basically, Skype runs DLLs from the Temp folder, which users can access without administrator rights. This makes it trivial for bad actors to switch out the DLLs…
The post Skype Is Vulnerable to a Nasty Exploit: Switch to the Windows Store Version appeared first on FeedBox.