Slashdot Mirror
Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite (zdnet.com)
ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.
The article indicates that the Updater is the problem, not Skype. The Updater runs in a privileged environment, and is susceptible to loading non-system DLLs. The article says the same can happen on Macs and on Linux except that neither platform uses DLLs nor allows sourcing libraries from local (no-system) directories.
E
Of course Linux is completely immune to such attacks because LD_PRELOAD is open source.
Phew. https://www.cs.rutgers.edu/~pxk/419/notes/content/04-injection-slides-6.pdf
Clearly Russian interference. Let's blame this on Trump and Kapersky.
=Beau=
it's a IM client with audio/video capabilities, wth
Looking for people to chat about multicopters, coding, music. skype: gtsiros
That way you can be kinda sorta sure the entire thing came from Microsoft, maybe...
“He’s not deformed, he’s just drunk!”
If you can't fix the issue then let us have the option to remove the POS. Ever since they jammed the crappy product down my throat wished I could remove it, now would be a good time.
errr....umm...*whooosh* *whoosh* Is this thing on ?
the original Peer-to-Peer version before MS bought it
and it can't be fixed because they broke it on purpose...
Skype turned into a huge turd when Microsoft touched it.
It took 6 attempts to get a call through without having either side sound like either donald duck, or mickey mouse. Then of course, you need to make sure your 100/100 internet connection is fast enough, or you get the dreaded "poor quality connection"...
I fixed skype by uninstalling it and using google hangouts.
You seem to misunderstand. The entire thing from Microsoft is the part with the flaw. The way this works is something else would get you infected with malware, which would then leverage Skype's update process to gain administrative access to your system silently.
Could they just static link the libraries to avoid the use of DLLs until the replacement is ready?
Just look at the stats. Failing Linux has had hundreds of CVE's in just the last year with a lot more and worse severities than all the current versions of amazing Windows *combined*. If you want to trust your computer to be secure, you are better off with Windows than littul linux. It's a simple fact, easily proven, but completely politically incorrect to say here which is everyone knows it is true.
20.......16, doh.
Dude .you SERIOUSLY need to worry about something different in the real world. Holy shit....RELAX!
WOW! Are you the racist PIG. Go due ya loser. You seriously need to quit sitting at home behind the keyboard trying to learn how to suck your own dick and get outside and see the real world and quit trying to be some self glorified keyboard Warrior. You need a life, or a major attitude adjustment I should say you racist scumbag
LOL
I think with the amount of money Skype has it's probably high time that they give it a huge overhaul anyway and they can certainly afford it so I hire a great coder and get your asses in gear LOL.
This exact same "attack" has been the root cause of dozens of Windows vulnerabilities reported on Slashdot over the past decade.
EVERYONE should already know about this flaw, so Microsoft has no right to act like it didn't know about the flaw when they purchased Skype.
If any program allows downloads to its %PATH%, then it's 100% vulnerable to this exploit.
p.s. This is also the reason you should never launch an installer from the download directory for your web browser. (Yes, that was also a story on /., but I'm too lazy to look it up.)
Can I use this to get access rights to my android phone that I paid good money for but have no access rights?
app store censorship needs to go.
The old standalone client was bad. Rather than fixing it, they tried to push everyone into WebRTC.
The UI of Skype even on Mac is now awful. Microsoft took a piece of crap and piled on a layer of fresher crap.
The time has come for Skype to get tossed in the trash.
Comment removed based on user account deletion
Isn't this quite similar to IBM's (Lotus) Notes updater problem?
Security Bulletin: IBM Notes Privilege escalation in IBM Notes Smart Update Service
IBM iNotes SUService can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory. IBM Plans to address this vulnerability by providing a fix.
https://www-01.ibm.com/support/docview.wss?uid=swg22010775
Last time I checked a complete rewrite is not necessary at all. Sometimes a one liner, e.g. SetDllDirectory(""), is more than enough.
What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client.
Man I gotta hand it to whomever at Microsoft actually convinced their boss to go this route. There was a MSN messenger once, you know, Microsoft's IM client, they dumped it and bought Skype. Now they're dumping Skype for inhouse MSN messenger 2.0? Hahahahaha nice job.
"Perrone"?
Which Skype is affected, the real Skype that MS purchased, or the fake MS Lynx or whatever it was they renamed to Skype after they bought it?
Skype has become progressively more difficult to use, with ads, spurious CPU usage and no lately the 8.X line with a complete makeover of the user interface. Sound and so on doesn't seem to be improving either. So, the question, what are the commercial or open source alternatives that are ad-free, but being paid for services is totally fine if it works well.
Adobe, Java, Skype runs 24/7 update processes that I keep just killing and they keep coming back. I do all my normal work on a normal user account, which means these programs fail trying to auto install updates because on my Windows 7 Pro box they do not have permissions.
;) Not
;)
These programs are a plague that expects their users to run their computers (as admin) on a day to day basis. They encourage poor security habits.
When I get irked about the constant pop ups and threats I will log out of my user account and in to my admin account and install the most needed ones.
And no I do not need resident programs running 24 7 to monitor my ink cartridge status and offer easy on line ordering.
Oh another category, all the worthless loaded process trying to add to your customer experience (Yea I am taking about you NVidia and others).
Note from me, just install the needed drivers and applications, and have an unchecked box saying yes I want to install all your worthless add on crap
Just my 2 cents
Does anyone else think that Skype has been on a steady downward spiral? I used to love it because it worked both on my phone and my laptop, it worked on Windows and Mac, and it was a non-intrusive, convenient client which allowed file sharing and video chat.
Then came the endless string of "imrpoving a finished product". First, we got this situation where sending image files triggered some special code path and suddenly you couldn't view photos anymore until both parties upgraded to the latest version (which wasn't finished for all platforms at the same time); then we got the phonification of the interface even on desktops, and the focus on funny animated smileys and color themes, and we recently lost the ability to scroll back in the conversation (not only on the phone versions but also on the desktop).
Are we, consumers, at fault for this? For equating "this product has not seen major rework lately" with "this product has been abandoned and you shouldn't use it anymore"? Or are we, software developers, at fault for this? By taking a product which is "fine" and think we need to keep "improving" it?
...they can damned well reinstate the API used by the Netgear Skype DECT phone I paid a shitload for. The one that says "Skype certified" on it. >:(
Anti-Virus add-ons had near identical issues, which I believe have been solved, and most have robust payload checksumming to ensure other files are not substituted. You would assume windows defender is doing similar checks, as well as fingerprint readers, and the logon screen.
What is interesting is that rather than ask their AV dudes, and port tested hijack free loaders, they would rather re-write, because reading somebody else's code is too hard for the brain dead skype team.
If it is this sloppy, then it should be possible to insert stubs that secretly record all, and maybe attack bu-ray media players, as they are obviously clueless. IF they do re-write, I hope AV1 will be included.
Can someone please explain to me was this can't be fixed?
I'm a software developer myself, mostly web the last couple of years, but wrote Win-programs a while back.
This seems VERY fixable to me. What am I missing?
I understand that the current updater loads and inits a couple of DLL:s it depends on, which happens during program start, and that bad versions can be put in "unsafe" directories to override the safe ones. But what I fail to understand is why they can't push a new updater, which first scans the folders involved in the Windows DLL-chain, and checks DLL:s found with normal checksum/fingerprint, before loading the big updater (which loads the actual DLL:s). The small "pre-updater" should of course not be dependent on any external code.
Why is this a problem?
I would fix it before going out for lunch.
They are a religion, not a race (so he's not racist).
Yeah yeah, semantics.
Either way, both of you are dicks.
What Else ? Whatsapp, Line, WeChat, Zoom, Hermit, other?
What Else ? Whatsapp, Line, WeChat, Zoom, Hangouts, Hermit, other?
Modern Skype is mostly Web Skype.
Modern "Skype for Linux" version 8.x is just Web Skype, packaged together with Chromium, thanks to Electron framework.
(Unlike older versions 4.y which were a Qt port of an older Windows native application).
The most recent version has moved away from binary plugins for the Audio/Video and/or from Microsoft's own NIH syndrom.
And transitioned to WebRTC + HTML5 Video.
But you don't even actually need to install this piece of crap.
- You can browse to http://webskype.com/ with Chromium and mostly get the same result. (But without installed binary plugin, only relying on Chromium's WebRTC)
- You can also browse it with Firefox (last time I checked, Audio/Video wasn't supported, saddly)
- You can even install the SkypeWeb Purple plugin and use it from within Pidgin/Adium
You can basically use Skype without executing a single binary opcode written by Microsoft
(well directly, anway. Depending on your Javascript enginge, it's going to JIT the Javascript on Skype's website if you use Chromium/Firefox. Pidgin isn't affected).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Skype was unique when it was new. A simple to use, easy tool for voice and text chat. And one that can even do phone calls if you so please. People jumped onto it because, well, it was the only one.
Fast forward to today when this monopoly situation ain't so true anymore. Considering how Skype refuses to play nice with any of the other kids in the communication and messenger pool, insisting on being a special little snowflake that nobody may touch with their grubby paws, Skype is pretty much the tool you use when you need to get in touch with those that don't move away from Skype because, well, they don't like to change and they don't want to use a new tool.
If they now have to, they, too will move away from the one-trick pony with some prodding from their friends now that they have to install something new anyway, so why not something that more people use?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm sure APK is on this trying to find some way he can claim hosts can block an attack that uses this vector.
Comment removed based on user account deletion
Should be noted that the bug requires that the attacker can write a DLL to your file system. So the user already needs to be downloading random DLLs, be a multi-user system or some other software needs to be exploited to write a DLL.
For a typical home PC this bug doesn't seem like a particularly problematic issue.
My hatred of Skype is second only to that of One Drive. Though I've somehow maintained a $10 account balance on Skype by logging in once every couple of years.
OP Here. Are my spidey senses now detecting a real-time public-thought-shaping effort by Slashcunt editors?
The thread I first referenced here is no longer archived but it was yesterday.
https://tech.slashdot.org/story/18/02/12/165259/a-facebook-employee-asked-a-reporter-to-turn-off-his-phone-so-facebook-couldnt-track-its-location
Damage control get rekt much dicks?
Good thinking to put it back to Post-able today.
Is this story intended to make the public think something special?
https://tech.slashdot.org/story/18/02/13/1729254/bill-gates-tech-companies-inviting-government-intervention
Old news there's feds all over Slashbutt. Ain't that right BeauHD? Bureau HeaD.
Y'all can still suck a bag of dicks. Straight. Get the Jews out of USA or you will wish you did later. Oh and about the currency hahaha... you already wish you did huh. usdebtclock.org
Look up fiat money and fractional reserve banking on investopedia.com
Everybody already knows the YouTube videos about it. Research it. There's no money ladies and gentlemen. It's fiat. Look up bank runs.
rekt.
God is smashing all you cunts playing house for life.
you know this. 007 wants 6.
dough.
Pay me mother fuckers. I did tell you.
--OP
See subject: Knocking your ILLITERATE DYSLEXIC RETARD block off https://it.slashdot.org/comments.pl?sid=11736289&cid=56117171/ & if hosts could fix it I would post how.
I could fix this.
Pack RIGHT .dll into .exe as a resource (always proper model) & extract prior to functions used extracting proper one out into app's folder (1st search DLL order) & THEN do version check (or CRC/sizecheck etc.) LoadLibrary instance it & use it.
* EVERY UPDATE ALWAYS has correct lib build WITH CHECKING!
(I've done screensavers that pack .avi files into a .scr & extracts to playin RAM - you can pack ANYTHING YOU LIKE in an .exe as a resource).
APK
P.S.=> A variation of it makes APK Hosts File Engine 10++ SR-1 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ uninfectable!
(UPMODDED ON /. CODING FOR DEFCON http://it.slashdot.org/comments.pl?sid=158231&cid=13257227/ )
"Bioteq" FAKE NAME failure crying & FAILING for almost 3 yrs. now https://slashdot.org/submission/5378473/slashdot-coalition-to-stop-apk/ & you're useless in THIS conversation too (webboy) but I'm not https://it.slashdot.org/comments.pl?sid=11736521&cid=56117377/ & that'd actually WORK to fix this issue (permanently).
* What's it LIKE being constantly defeated & DESTROYED by "yours truly" you FAKE NAME for a FAKE LIE OF A LIFE wannabe?
(LOL, it's gotta SUCK for you & provides MASSIVE AMUSEMENT OPPORTUNITIES for me to shit ALL OVER "your kind" (losers), lol!).
APK
P.S.=> This one goes into my bookmarks/favs for YOU & I never EVER said "hosts cure all" but what they DO work for kicks "your kind's" (do-nothing chatterers online that *THINK* they know things in computing & you're SO LIMITED it's not even funny) asses - every SINGLE time (you make ME look GOOD & yourselves what I just said you are - nobody do nothing "ne'er-do-wells" - not men)... apk
By switching from C++ to another language in which bugs do not lead to privilege escalation?