Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite (zdnet.com)

Posted by BeauHD on from the back-to-the-drawing-board dept.

ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

85 of 151 comments (clear)

  1. Linux not vulnerable by gavron · · Score: 5, Informative

    The article indicates that the Updater is the problem, not Skype. The Updater runs in a privileged environment, and is susceptible to loading non-system DLLs. The article says the same can happen on Macs and on Linux except that neither platform uses DLLs nor allows sourcing libraries from local (no-system) directories.

    E

    1. Re:Linux not vulnerable by Anonymous Coward · · Score: 1

      Yeah, Linux doesn't have "DLLs"!! Because calling the same thing a .so makes it magically secure!

      Spoken like somebody who doesn't really know what LD_PRELOAD actually does.

    2. Re:Linux not vulnerable by Xenx · · Score: 3, Informative

      The article links to a bulletin on hijacking of dynamic libraries on OSX. So......

    3. Re:Linux not vulnerable by Anonymous Coward · · Score: 4, Funny

      Quit being a DLLdo. Windows and Linux libraries are entirely different.

    4. Re: Linux not vulnerable by WarJolt · · Score: 3, Funny

      LD_PRELOAD is not enough for privilege escalation. You need more, like a buggy Microsoft product. Maybe Skype for Linux....

    5. Re:Linux not vulnerable by Z00L00K · · Score: 1

      It's also interesting that after an installation there's actually a need to have system privileges for all updates. That should only be necessary for updates related to system interaction. Of course app updates should require higher privileges than user level, but not really touch the system level.

      But given that it's Microsoft then you'd need a reboot too.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    6. Re:Linux not vulnerable by WaffleMonster · · Score: 1

      Quit being a DLLdo. Windows and Linux libraries are entirely different.

      Nonsense. It's all the same shit with uninteresting semantic differences.

    7. Re:Linux not vulnerable by Anubis+IV · · Score: 1

      Neither platform uses DLLs because they call their dynamically linked libraries something else. For instance, just as you’ll see .app instead of .exe on macOS, you’ll see .dylib instead of .dll. Same basic notion, different extension, same design that leaves it open to attack.

    8. Re:Linux not vulnerable by Anonymous Coward · · Score: 2, Informative

      Linux [...] In fact, I've accidentally run into library versions probems because I had a copy in my home directory along with an executable.

      There are two things you need to deliberately do to make that happen:

      Set PATH to include your home directory.

      Set LD_PRELOAD appropriately or LD_LIBRARY_PATH to your home directory.

      So you've never accidentally run into that problem. You have to deliberately create that problem in two separate and independent steps.

    9. Re:Linux not vulnerable by toadlife · · Score: 1

      It's also interesting that after an installation there's actually a need to have system privileges for all updates.

      Why is that interesting? Every Linux package manager I've ever used uses root privileges to update app packages. Complex permission schemes are possible in both Windows and Linux. People don't use them in either because they are not worth the trouble.

      Of course app updates should require higher privileges than user level

      No, they shouldn't. Apps that are installed in the user's profile only need user's permissions to update.

      But given that it's Microsoft then you'd need a reboot too.

      The need for reboots has nothing to do with permissions.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    10. Re:Linux not vulnerable by TheRaven64 · · Score: 1

      I've never seen a Linux distribution where LD_LIBRARY_PATH was set by default to include locations in the user's home directory. You need to explicitly do that. I suppose that a malicious update script could set it in .profile, but if you use su or sudo then they sanitise your environment so you can't accidentally elevate privilege doing it. I believe that on most *NIX systems the run-time linker also checks that libraries linked by setuid root binaries are owned by root, so you can't exploit it by having the user run a setuid binary.

      --
      I am TheRaven on Soylent News
    11. Re: Linux not vulnerable by Zero__Kelvin · · Score: 2

      Really? It's "just as bad"? Did it really require a "massive re-write" to fix? Because if it did Red Hat did so way back in release 5. Are you saying the bug was "just as bad" but the vendor response was far better, since it got fixed promptly rather than the Linux vendors saying "that is a difficult bug, so we are just going to say screw the customer"?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    12. Re: Linux not vulnerable by Zero__Kelvin · · Score: 1

      First of all the Skype updater is part of Skype. Second, Linux has dynamically linked libraries. Not only should this not be marked informative in any way, your entire post is 100% "misinformative."

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    13. Re:Linux not vulnerable by angel'o'sphere · · Score: 1

      Of course Macs and Linux use DLLs to: dynamic linked libraries do not need to end in *.dll ... e.g. on linux and macs and basically any unix system they end in *.so

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    14. Re:Linux not vulnerable by angel'o'sphere · · Score: 1

      If you need root privileges to run a package manager, then the installed packages are only root writeable.
      If they would be owned by an ordinary user you would not need root privileges.

      Reboots are completely unnecessary, if the system is done right. Unless you want to load a new kernel, or rare cases a new device driver, there is no reason at all.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    15. Re: Linux not vulnerable by Gr8Apes · · Score: 1

      The real problem here is that if Updater requires high level privs on windows, then it's going to be compromisable no matter what MS does. The entire DLL loading process is just one huge security hole. If you have access within your code to load a DLL under an admin privileged token no matter how masked (and possibly even without, I didn't bother going that far) the machine is yours. This is because Windows Security is upside down, and no sensible security system would ever has this design strategy.

      --
      The cesspool just got a check and balance.
    16. Re:Linux not vulnerable by toadlife · · Score: 1

      If you need root privileges to run a package manager, then the installed packages are only root writeable.
      If they would be owned by an ordinary user you would not need root privileges.

      I understand that. The same principles apply in Windows. It's as if you weren't even reading what I wrote.

      Reboots are completely unnecessary, if the system is done right. Unless you want to load a new kernel, or rare cases a new device driver, there is no reason at all.

      I understand that you're a big Linux fan and you think Windows is the worst thing to ever grace humanity, but I was talking about the reason for needing reboots in Windows, since that's what the parent was talking about.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    17. Re:Linux not vulnerable by angel'o'sphere · · Score: 1

      Then explain please, why did you write this:
      Every Linux package manager I've ever used uses root privileges to update app packages. ?
      And why this:
      The need for reboots has nothing to do with permissions. ?
      No one said reboots have anything to do with permissions. Reboots in windows are 99% of the time are unnecessary as well, but the stupid guy who programmed the installer added a "lets reboot after install for good measure".

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  2. Open Source Rules! by Anonymous Coward · · Score: 1

    Of course Linux is completely immune to such attacks because LD_PRELOAD is open source.

    Phew. https://www.cs.rutgers.edu/~pxk/419/notes/content/04-injection-slides-6.pdf

    1. Re:Open Source Rules! by Hal_Porter · · Score: 2

      Not everyone operates in the US tribal mindset where criticising Tribe A means you're automatically a member of Tribe B. Maybe both tribes have downsides.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  3. why does skype have "massive code" anyway? by gTsiros · · Score: 1

    it's a IM client with audio/video capabilities, wth

    --
    Looking for people to chat about multicopters, coding, music. skype: gtsiros
    1. Re:why does skype have "massive code" anyway? by AHuxley · · Score: 2

      PRISM

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:why does skype have "massive code" anyway? by Narcocide · · Score: 1

      How are you supposed to hide massive security vulnerabilities under the vague guise of plausible deniability if you don't have a giant entrenched pile of garbage as a code base? You thought they kept rotating experienced, ethical developers off the project because of simple managerial incompetence, didn't you? The incompetence story is just more plausible deniability.

    3. Re:why does skype have "massive code" anyway? by swilver · · Score: 2

      It's a huge mess. I can't even get voice/video calls to work through a firewall as it requires like 20 different rules for all sorts of ports -- it's ancient code, written in an ancient time when every new feature required its own port and protocol.

      Compare that with Hangouts or Slack (the client), which just works out of the box without any changes to my firewall.

      Besides, I'm sure 90% of the code is the bolted on library for serving you ads in the middle of your face.

    4. Re:why does skype have "massive code" anyway? by ceoyoyo · · Score: 1

      Who knows about Skype. This is the updater app that has massive code.

  4. Download the offline installer? by fustakrakich · · Score: 3, Insightful

    That way you can be kinda sorta sure the entire thing came from Microsoft, maybe...

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Download the offline installer? by Rockoon · · Score: 4, Informative

      The issue as I understand it is that a bit of nefarious code running in user scope can take these steps:

      1) drop a properly named nefarious dll in a tmp directory
      2) alter the userspace path environment variable that will cause skypes updater to search this folder first for that properly named nefarious dll
      3) launch the skype installer which will then load the nefarious dll into a super user scope

      --
      "His name was James Damore."
    2. Re:Download the offline installer? by ancientt · · Score: 1

      Parent should have been the description in the /. story.

      --
      B) Eliminate all the stupid users. This is frowned upon by society.
    3. Re:Download the offline installer? by MobyDisk · · Score: 1

      agreed! Why are 95% of Slashdot submissions simple cut-and-pastes? Instead, we should be tailoring the summary to the geek audience.

    4. Re:Download the offline installer? by gustygolf · · Score: 1

      Didn't Word etc have the same bug, about five years ago?

      DLL preloading attack was what it was called. You could drop a Word document into the same directory with a malicious DLL file, and if you double-clicked that document, Word would load the DLL instead of the system one.

      If your program doesn't pass a fully qualified path to LoadLibrary/LoadLibraryEx... well, it uses the system path to search for it.

      --
      "Slow Down Cowboy! It's been 58 minutes since you last successfully posted a comment" -- slashdot, driving users away.
  5. So... by Archfeld · · Score: 2

    If you can't fix the issue then let us have the option to remove the POS. Ever since they jammed the crappy product down my throat wished I could remove it, now would be a good time.

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
    1. Re:So... by Xenx · · Score: 1

      Because application choice for Windows is superior to Linux. This goes doubly so for anyone that also plays games on their computer. It also comes with virtually every computer (Apple aside) sold. Why spend time and effort switching over to another operating system? It doesn't take a genius to figure out.

    2. Re:So... by Tyger-ZA · · Score: 3, Interesting

      Last I checked, Skype was entirely optional to install, something you have to go out of your way to infect your system with, not something Microsoft jams down anyone's throat.

      When WIndows 8 came out, Skype was there by default. It also happened to be extra retarded by default. I remember it because some friends asked me to help them log in to the Skype app on a new Windows 8 machine. After some swearing and Googling, I discovered that the app bundled with Windows will only work with a Windows Live account, Skype logins that existed before the MS infection required that I uninstall the bundled version and get the less retarded version from Skype.com

    3. Re:So... by omnichad · · Score: 2

      I just installed Windows 10 fresh and there was a Skype icon already present. Worse, OneDrive runs at startup by default.

    4. Re:So... by thegarbz · · Score: 1

      If you can't fix the issue then let us have the option to remove the POS.

      Ever considered uninstalling it?

    5. Re: So... by Zero__Kelvin · · Score: 1

      Last time I checked feet were entirely optional. Nothing stops you from removing them and using a wheelchair! What's that? You actually need to talk to others that use Skype? Oh, never mind then, it's a closed system and it has absolutey been forced down your throat ... known vulnerability they decided not to fix included.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    6. Re:So... by ZosX · · Score: 1

      Except linux lags behind Windows on the desktop in terms of usability badly. Not to mention that all the real world applications I need are only on Windows. And games. Wine is great and all but the last time I tried it, I was seeing my nvidia card perform about half as well as it should have. Pass. I do like linux, but lets be honest, its a broken fragmented mess with few quality commercial applications for it.

      --
      zosxavius photography
    7. Re:So... by ZosX · · Score: 1

      Wake me up when darktable is better than lightroom and the gimp is on the level of photoshop. Not holding my breath here......

      And inkscape? Its nice but nowhere near as powerful and industry supported as Illustrator.

      --
      zosxavius photography
    8. Re: So... by Archfeld · · Score: 1

      Please check again, Skype is part of Internet Exploiter 11 and installed on Windows 10 by default. It cannot be uninstalled nor disabled, you can just never activate it or connect a Microsoft account to it to prevent it from initializing. I generally use Linux but I am required to keep a Windows system around for HR software and use a Hotmail account to access M$ websites for enterprise support.

      --
      errr....umm...*whooosh* *whoosh* Is this thing on ?
    9. Re:So... by Archfeld · · Score: 1

      More than considered it, spent several hours researching and attempting it but much like cancer it grows back and is deeply rooted in the both the system and the browser.... I'd gladly do away with windows but the employer uses HR software that only runs on Windows 10 and Hotmail for required MS support purposes.

      --
      errr....umm...*whooosh* *whoosh* Is this thing on ?
    10. Re:So... by Archfeld · · Score: 1

      "Better question, who the hell in their right mind knowing what we all know about software and the industry would use windows anything?"

      Anyone who works for someone else who requires it. I'd love to have the choice but my current contract and previous one for that matter required Windows 10 and a Hotmail account. The HR software of their choosing was windows only and to get into MSDN and the enterprise support sites you have to use a Hotmail account...

      --
      errr....umm...*whooosh* *whoosh* Is this thing on ?
    11. Re:So... by thegarbz · · Score: 1

      Interesting. Just right clicking Skype on the start menu and clicking Uninstall seems to do the trick just fine too. There's nothing deep about it. It's a standard UWP app.

    12. Re:So... by Archfeld · · Score: 1

      Perhaps skype imbedded in Internet exploiter is different from the installed version. I do not have an installed version but rather the imbedded version in the outlook mail client I am required to keep for work. But just go on assuming you know everything about everything. It seems to have served you well to this point...

      --
      errr....umm...*whooosh* *whoosh* Is this thing on ?
  6. Re:Russians! by Anonymous Coward · · Score: 2, Funny

    Trump himself said he did it. He said "no collusion", which in Trump-speak means "I colluded".
    We are slowly realises that whatever Trump says, he means the opposite. "Largest ever inauguration crowd" means it wasn't. "Building a wall" means he won't.

    The Trump fans took Trump seriously, but not literally. The general pubic took Trump retardedly, but not unretardedly.

  7. Skype == Turd by Anonymous Coward · · Score: 1

    Skype turned into a huge turd when Microsoft touched it.

    It took 6 attempts to get a call through without having either side sound like either donald duck, or mickey mouse. Then of course, you need to make sure your 100/100 internet connection is fast enough, or you get the dreaded "poor quality connection"...

    I fixed skype by uninstalling it and using google hangouts.

  8. Won't help by The+MAZZTer · · Score: 2

    You seem to misunderstand. The entire thing from Microsoft is the part with the flaw. The way this works is something else would get you infected with malware, which would then leverage Skype's update process to gain administrative access to your system silently.

    1. Re:Won't help by fustakrakich · · Score: 1

      which allows an attacker to trick an application into drawing malicious code instead of the correct library.

      That doesn't sound like it comes from Microsoft. It seems to me that the regular installer takes bits and pieces from here and there to assemble the app on your computer. I don't see that risk if you download the whole chunk from MS. And I don't let it update automatically. I definitely could be wrong, but I still feel better doing my installs from a local file/folder that I know (or think I know) has the correct library.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Won't help by whoever57 · · Score: 1

      I have thought for years that Windows would be more secure if Microsoft provided a mechanism by which ISVs could hook into the Windows Update process and use that for program updates. The system could required code signatures to ensure that fakes are not being installed. Microsoft could make some money out of it by selling code signing certificates.

      Obviously, they would have to take care that the ISV hooks could not overwrite any core Microsoft items and perhaps not overwrite any prior ISV hook.

      --
      The real "Libtards" are the Libertarians!
    3. Re:Won't help by Bert64 · · Score: 2

      And they've finally implemented exactly that, it's called "windows store" and they were the last major os vendor to do so.
      You can't just hook in tho, you have to publish through the store, and that comes with all kinds of strings attached.

      I find it amusing how the app store model is taking off, a few years ago this was one of the most common arguments against linux - the claim was that users want to buy software from a store or download from a random website and they won't like the repository model. Turns out the linux proponents were right, users do like being able to search and choose software from one place, but they were very bad at marketing this advantage linux had.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    4. Re:Won't help by AmiMoJo · · Score: 1

      It's not really the app store they care about, that's just a way of making getting what they really want more convenient. And what they want is Microsoft Word and Excel, YouTube, Facebook and Maps.

      Geeks like us hate all that. We see it as bloatware, crap we don't want rammed in our faces. But for ordinary users it's exactly what they want. They don't care about your repo with 57 different IRC clients and 9 versions of Firefox with slightly different licence terms. They want Skype and WhatsApp, because that's what their friends use.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  9. Static Link? by ChodaBoyUSA · · Score: 2

    Could they just static link the libraries to avoid the use of DLLs until the replacement is ready?

    1. Re:Static Link? by Cassini2 · · Score: 5, Informative

      While officially Microsoft supports static linking, in practice, it is necessary to use DLLs in many situations. The Microsoft official answer is at: Extension DLLs

      The practical reasons that I have been forced to use DLLs are:

      • 1. If you want your application to upgrade smoothly over the years, you have to use either the DLL calls or the windows system calls and avoid the statically linked C libraries. For instance, when the times and dates for daylight savings time change, only the windows calls get updated automatically. The statically linked libraries don't get updated. DLL libraries get updated when the DLL gets updated (which can lead to DLL Hell, but that is another story.)
      • 2. If you have an application that allocates memory in one DLL and frees it in another, then it is vital that the library that does the memory management be a DLL. Otherwise, each DLL has it's own statically linked memory mapping library, and they don't know about each other's allocations.
      • 3. (2) applies to applications that use new and delete. It also applies to applications that are ActiveX controls and using IMalloc.
      • 4. Some of the cool Microsoft libraries link to DLLs, so it doesn't matter if you want to use static libraries. You are getting DLLs.
      • 5. Only the really old languages like C++ and QuickBasic supports static linking. I'm pretty sure Visual Basic, C# and .NET all require DLLs.
    2. Re:Static Link? by toadlife · · Score: 1

      Probably. Or you could sign the libraries and executables. This is a common type of vulnerability that shouldn't happen, but does, due to laziness, but it is also relatively easy to fix. The summary's claim of a "massive code rewrite" being needed is sensationalist BS.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    3. Re:Static Link? by v1 · · Score: 1

      The summary's claim of a "massive code rewrite" being needed is sensationalist BS.

      It certainly does look that way. Apparently the problem is in the updater. If your UPDATER even needs to be "completely rewritten", I don't see how that could be described as a "massive rewrite".

      MS never wanted skype, they wanted its userbase. Most users don't like the "new look" they gave it anyway. MS is just going to leverage this into a handy excuse to get the current skype users to move over to their own home-grown IM/Chat client.

      --
      I work for the Department of Redundancy Department.
    4. Re:Static Link? by WaffleMonster · · Score: 1

      1. If you want your application to upgrade smoothly over the years, you have to use either the DLL calls or the windows system calls and avoid the statically linked C libraries. For instance, when the times and dates for daylight savings time change, only the windows calls get updated automatically. The statically linked libraries don't get updated. DLL libraries get updated when the DLL gets updated (which can lead to DLL Hell, but that is another story.)

      Normally Microsoft C library hands off to windows to process time. When daylight savings time changes statically linked C libraries do not have to be updated or applications recompiled to take advantage of these changes.

      They have internal logic that can get out of sync however as a practical matter it's a fallback that is never used.

      If you have an application that allocates memory in one DLL and frees it in another

      Then the application is BROKEN.

      then it is vital that the library that does the memory management be a DLL. Otherwise, each DLL has it's own statically linked memory mapping library, and they don't know about each other's allocations.

      GIGO

    5. Re:Static Link? by toadlife · · Score: 1

      Thanks for the info.

      In this particular case it's one executable using another, not a DLL being called.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    6. Re:Static Link? by swb · · Score: 1

      I think at this point application vendors could solve a multitude of problems by providing statically linked applications. Issues like memory and disk space aren't as big of an impact as they once were.

      But I think the reason we won't see a renaissance in statically linked applications is that vendors LIKE the fact that installers get run as privileged users because it lets them snoop the system and install telemetry they couldn't do with a static executable.

      To be sure, there are good arguments against statically linked executables -- it's not a one-size, fits-all solution, but given the popularity and availability of so many portable versions of free apps, I think there's more demand for them.

    7. Re:Static Link? by angel'o'sphere · · Score: 1

      2. If you have an application that allocates memory in one DLL and frees it in another, then it is vital that the library that does the memory management be a DLL. Otherwise, each DLL has it's own statically linked memory mapping library, and they don't know about each other's allocations.
      Then don't link memory management code into those DLLs ... problem solved, facepalm.

      5. Only the really old languages like C++ and QuickBasic supports static linking. I'm pretty sure Visual Basic, C# and .NET all require DLLs
      Depends probably which VisualBasic version you are talking about. Modern VB is running on .NET. Everything on .NET is byte code. Similar to Java Byte Code. So be definition it is a DLL. if you want to access native code, that would be in a dll, obviously, as you have to load it somehow dynamically ... however everything that DLL needs, could be static linked into hat DLL.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    8. Re:Static Link? by kenmtraveller · · Score: 1

      I think I know why they claim a need to rewrite their downloader, it's because of the way the loader does implicit loading of DLLs at process initialization.
      This implicit loading is vulnerable to DLL hijacking , and mitigations like SetDLLDirectory() and such don't help because it happens before any code in their updater gets to run -- even if they use a custom entry point. You can see this yourself by using WinDbg with Loader Snaps enabled , you will see DLL loads occurring before any of your own code gets to run.
      So, one good way to defend against DLL hijacking, given this, is to make sure your downloader has no dependencies on Microsoft APIs except for those in kernel32.dll (and I suppose user32.dll). These DLLs are 'special case' DLLs that can't be hijacked due to their presence in the KnownDLLs list.
      But, taking an updater with heavy dependence on Microsoft APIs and reducing this dependency across the board might easily require a big rewrite.

  10. Linux is MORE vulnerable by Anonymous Coward · · Score: 3, Funny

    Just look at the stats. Failing Linux has had hundreds of CVE's in just the last year with a lot more and worse severities than all the current versions of amazing Windows *combined*. If you want to trust your computer to be secure, you are better off with Windows than littul linux. It's a simple fact, easily proven, but completely politically incorrect to say here which is everyone knows it is true.

    1. Re: Linux is MORE vulnerable by mSparks43 · · Score: 4, Funny

      I miss the days when every hacker under the sun would regularily release 0days for free that let you infect windows machines just by sending a skype message. Now you got to pay :( - or understand russian :)

  11. Re: Hey excuse me psst cunts.. by mSparks43 · · Score: 1

    20.......16, doh.

  12. Re:Russians! by greenwow · · Score: 2

    We don't have any evidence of it, but the media wouldn't be talking about it so much and for so long if it wasn't true.

  13. Did I end up in the bizarro universe somehow? by Anonymous Coward · · Score: 1

    This exact same "attack" has been the root cause of dozens of Windows vulnerabilities reported on Slashdot over the past decade.
    EVERYONE should already know about this flaw, so Microsoft has no right to act like it didn't know about the flaw when they purchased Skype.

    If any program allows downloads to its %PATH%, then it's 100% vulnerable to this exploit.

    p.s. This is also the reason you should never launch an installer from the download directory for your web browser. (Yes, that was also a story on /., but I'm too lazy to look it up.)

  14. app store censorship by Joe_Dragon · · Score: 1

    app store censorship needs to go.

  15. Skype for Linux is terrible by Anonymous Coward · · Score: 1

    The old standalone client was bad. Rather than fixing it, they tried to push everyone into WebRTC.

    The UI of Skype even on Mac is now awful. Microsoft took a piece of crap and piled on a layer of fresher crap.

    The time has come for Skype to get tossed in the trash.

    1. Re: Skype for Linux is terrible by ArmoredDragon · · Score: 1

      Microsoft simply felt that it's UI wasn't modern enough, so they needed to modernize it. Modern meaning 50s era Scandinavian magazines, of course... Kind of like windows 1.x/2.x, only with a smaller color palette and no divider lines, this way it has to be really bright and contrasty colors, like a Fisher-Price toy.

    2. Re: Skype for Linux is terrible by Gr8Apes · · Score: 1

      Microsoft simply felt that it's UI wasn't modern enough, ... it has to be really bright and contrasty colors, like a Fisher-Price toy.

      So, back to XP?

      --
      The cesspool just got a check and balance.
  16. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  17. A rewrite, really? by Artem+S.+Tashkinov · · Score: 1

    Last time I checked a complete rewrite is not necessary at all. Sometimes a one liner, e.g. SetDllDirectory(""), is more than enough.

    1. Re:A rewrite, really? by Hal_Porter · · Score: 1

      Yup. Secure DLL search paths isn't that hard to implement.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  18. Circle jerk by duke_cheetah2003 · · Score: 4, Interesting

    What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client.

    Man I gotta hand it to whomever at Microsoft actually convinced their boss to go this route. There was a MSN messenger once, you know, Microsoft's IM client, they dumped it and bought Skype. Now they're dumping Skype for inhouse MSN messenger 2.0? Hahahahaha nice job.

    1. Re:Circle jerk by thegarbz · · Score: 1

      Hahahahaha nice job

      Yes it is. Think about this for a second. Some of the biggest improvements to OSes have come from major re-writes. This isn't a big deal for a software company as much as it is business as usual.
      Likewise some of the biggest purchases and acquisitions have had zero to do with software. Software is just some code anyone can write. You think a couple of guys in Estonia could do something Microsoft couldn't? The reason Skype was purchased was IP + userbase. This IP+userbase was merged with the existing IP+userbase of the MSN world. Now they have the audience captive including an automatic updater it is trivial to move them onto whatever they want to do next.

      If you can't convince your boss that these are solid business decisions (get IP > get users > get platform lock-in > dominate users) then you may want to give your future suggestions to someone else to present to management.

  19. Always makes me chuckle and irked by oldgraybeard · · Score: 1

    Adobe, Java, Skype runs 24/7 update processes that I keep just killing and they keep coming back. I do all my normal work on a normal user account, which means these programs fail trying to auto install updates because on my Windows 7 Pro box they do not have permissions.

    These programs are a plague that expects their users to run their computers (as admin) on a day to day basis. They encourage poor security habits.

    When I get irked about the constant pop ups and threats I will log out of my user account and in to my admin account and install the most needed ones.

    And no I do not need resident programs running 24 7 to monitor my ink cartridge status and offer easy on line ordering.

    Oh another category, all the worthless loaded process trying to add to your customer experience (Yea I am taking about you NVidia and others).

    Note from me, just install the needed drivers and applications, and have an unchecked box saying yes I want to install all your worthless add on crap ;) Not

    Just my 2 cents ;)

  20. While they're rewriting it... by 6Yankee · · Score: 1

    ...they can damned well reinstate the API used by the Netgear Skype DECT phone I paid a shitload for. The one that says "Skype certified" on it. >:(

  21. Re:Alternative to Skype? by Shikaku · · Score: 1

    Discord

  22. What Else ? by spinitch · · Score: 1

    What Else ? Whatsapp, Line, WeChat, Zoom, Hermit, other?

  23. What Else ? by spinitch · · Score: 1

    What Else ? Whatsapp, Line, WeChat, Zoom, Hangouts, Hermit, other?

  24. Linux Skype is Web Skype by DrYak · · Score: 1

    Modern Skype is mostly Web Skype.

    Modern "Skype for Linux" version 8.x is just Web Skype, packaged together with Chromium, thanks to Electron framework.
    (Unlike older versions 4.y which were a Qt port of an older Windows native application).
    The most recent version has moved away from binary plugins for the Audio/Video and/or from Microsoft's own NIH syndrom.
    And transitioned to WebRTC + HTML5 Video.

    But you don't even actually need to install this piece of crap.
      - You can browse to http://webskype.com/ with Chromium and mostly get the same result. (But without installed binary plugin, only relying on Chromium's WebRTC)
      - You can also browse it with Firefox (last time I checked, Audio/Video wasn't supported, saddly)
      - You can even install the SkypeWeb Purple plugin and use it from within Pidgin/Adium

    You can basically use Skype without executing a single binary opcode written by Microsoft
    (well directly, anway. Depending on your Javascript enginge, it's going to JIT the Javascript on Skype's website if you use Chromium/Firefox. Pidgin isn't affected).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  25. Do you really insist in shooting your own foot? by Opportunist · · Score: 1

    Skype was unique when it was new. A simple to use, easy tool for voice and text chat. And one that can even do phone calls if you so please. People jumped onto it because, well, it was the only one.

    Fast forward to today when this monopoly situation ain't so true anymore. Considering how Skype refuses to play nice with any of the other kids in the communication and messenger pool, insisting on being a special little snowflake that nobody may touch with their grubby paws, Skype is pretty much the tool you use when you need to get in touch with those that don't move away from Skype because, well, they don't like to change and they don't want to use a new tool.

    If they now have to, they, too will move away from the one-trick pony with some prodding from their friends now that they have to install something new anyway, so why not something that more people use?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  26. Re: Russians! by Zero__Kelvin · · Score: 1

    How do you know we don't have any evidence of it. Do you have access to Mueller's files? We certainly have already seen numerous guilty pleas from members of his "inner circle" followed by orwellian "that man was never part of my inner circle" newspeek from the tiny fingered Don.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  27. Re:I'm sure APK is on this by bioteq · · Score: 1

    Hosts fix -everything- though!

  28. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  29. Requires local access by Luthair · · Score: 1

    Should be noted that the bug requires that the attacker can write a DLL to your file system. So the user already needs to be downloading random DLLs, be a multi-user system or some other software needs to be exploited to write a DLL.

    For a typical home PC this bug doesn't seem like a particularly problematic issue.

  30. Re:So...and this Onedrive crap too by ficuscr · · Score: 1

    My hatred of Skype is second only to that of One Drive. Though I've somehow maintained a $10 account balance on Skype by logging in once every couple of years.