Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite (zdnet.com)

Posted by BeauHD on from the back-to-the-drawing-board dept.

ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

23 of 151 comments (clear)

  1. Linux not vulnerable by gavron · · Score: 5, Informative

    The article indicates that the Updater is the problem, not Skype. The Updater runs in a privileged environment, and is susceptible to loading non-system DLLs. The article says the same can happen on Macs and on Linux except that neither platform uses DLLs nor allows sourcing libraries from local (no-system) directories.

    E

    1. Re:Linux not vulnerable by Xenx · · Score: 3, Informative

      The article links to a bulletin on hijacking of dynamic libraries on OSX. So......

    2. Re:Linux not vulnerable by Anonymous Coward · · Score: 4, Funny

      Quit being a DLLdo. Windows and Linux libraries are entirely different.

    3. Re: Linux not vulnerable by WarJolt · · Score: 3, Funny

      LD_PRELOAD is not enough for privilege escalation. You need more, like a buggy Microsoft product. Maybe Skype for Linux....

    4. Re:Linux not vulnerable by Anonymous Coward · · Score: 2, Informative

      Linux [...] In fact, I've accidentally run into library versions probems because I had a copy in my home directory along with an executable.

      There are two things you need to deliberately do to make that happen:

      Set PATH to include your home directory.

      Set LD_PRELOAD appropriately or LD_LIBRARY_PATH to your home directory.

      So you've never accidentally run into that problem. You have to deliberately create that problem in two separate and independent steps.

    5. Re: Linux not vulnerable by Zero__Kelvin · · Score: 2

      Really? It's "just as bad"? Did it really require a "massive re-write" to fix? Because if it did Red Hat did so way back in release 5. Are you saying the bug was "just as bad" but the vendor response was far better, since it got fixed promptly rather than the Linux vendors saying "that is a difficult bug, so we are just going to say screw the customer"?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  2. Download the offline installer? by fustakrakich · · Score: 3, Insightful

    That way you can be kinda sorta sure the entire thing came from Microsoft, maybe...

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Download the offline installer? by Rockoon · · Score: 4, Informative

      The issue as I understand it is that a bit of nefarious code running in user scope can take these steps:

      1) drop a properly named nefarious dll in a tmp directory
      2) alter the userspace path environment variable that will cause skypes updater to search this folder first for that properly named nefarious dll
      3) launch the skype installer which will then load the nefarious dll into a super user scope

      --
      "His name was James Damore."
  3. So... by Archfeld · · Score: 2

    If you can't fix the issue then let us have the option to remove the POS. Ever since they jammed the crappy product down my throat wished I could remove it, now would be a good time.

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
    1. Re:So... by Tyger-ZA · · Score: 3, Interesting

      Last I checked, Skype was entirely optional to install, something you have to go out of your way to infect your system with, not something Microsoft jams down anyone's throat.

      When WIndows 8 came out, Skype was there by default. It also happened to be extra retarded by default. I remember it because some friends asked me to help them log in to the Skype app on a new Windows 8 machine. After some swearing and Googling, I discovered that the app bundled with Windows will only work with a Windows Live account, Skype logins that existed before the MS infection required that I uninstall the bundled version and get the less retarded version from Skype.com

    2. Re:So... by omnichad · · Score: 2

      I just installed Windows 10 fresh and there was a Skype icon already present. Worse, OneDrive runs at startup by default.

  4. Re:Russians! by Anonymous Coward · · Score: 2, Funny

    Trump himself said he did it. He said "no collusion", which in Trump-speak means "I colluded".
    We are slowly realises that whatever Trump says, he means the opposite. "Largest ever inauguration crowd" means it wasn't. "Building a wall" means he won't.

    The Trump fans took Trump seriously, but not literally. The general pubic took Trump retardedly, but not unretardedly.

  5. Won't help by The+MAZZTer · · Score: 2

    You seem to misunderstand. The entire thing from Microsoft is the part with the flaw. The way this works is something else would get you infected with malware, which would then leverage Skype's update process to gain administrative access to your system silently.

    1. Re:Won't help by Bert64 · · Score: 2

      And they've finally implemented exactly that, it's called "windows store" and they were the last major os vendor to do so.
      You can't just hook in tho, you have to publish through the store, and that comes with all kinds of strings attached.

      I find it amusing how the app store model is taking off, a few years ago this was one of the most common arguments against linux - the claim was that users want to buy software from a store or download from a random website and they won't like the repository model. Turns out the linux proponents were right, users do like being able to search and choose software from one place, but they were very bad at marketing this advantage linux had.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  6. Static Link? by ChodaBoyUSA · · Score: 2

    Could they just static link the libraries to avoid the use of DLLs until the replacement is ready?

    1. Re:Static Link? by Cassini2 · · Score: 5, Informative

      While officially Microsoft supports static linking, in practice, it is necessary to use DLLs in many situations. The Microsoft official answer is at: Extension DLLs

      The practical reasons that I have been forced to use DLLs are:

      • 1. If you want your application to upgrade smoothly over the years, you have to use either the DLL calls or the windows system calls and avoid the statically linked C libraries. For instance, when the times and dates for daylight savings time change, only the windows calls get updated automatically. The statically linked libraries don't get updated. DLL libraries get updated when the DLL gets updated (which can lead to DLL Hell, but that is another story.)
      • 2. If you have an application that allocates memory in one DLL and frees it in another, then it is vital that the library that does the memory management be a DLL. Otherwise, each DLL has it's own statically linked memory mapping library, and they don't know about each other's allocations.
      • 3. (2) applies to applications that use new and delete. It also applies to applications that are ActiveX controls and using IMalloc.
      • 4. Some of the cool Microsoft libraries link to DLLs, so it doesn't matter if you want to use static libraries. You are getting DLLs.
      • 5. Only the really old languages like C++ and QuickBasic supports static linking. I'm pretty sure Visual Basic, C# and .NET all require DLLs.
  7. Linux is MORE vulnerable by Anonymous Coward · · Score: 3, Funny

    Just look at the stats. Failing Linux has had hundreds of CVE's in just the last year with a lot more and worse severities than all the current versions of amazing Windows *combined*. If you want to trust your computer to be secure, you are better off with Windows than littul linux. It's a simple fact, easily proven, but completely politically incorrect to say here which is everyone knows it is true.

    1. Re: Linux is MORE vulnerable by mSparks43 · · Score: 4, Funny

      I miss the days when every hacker under the sun would regularily release 0days for free that let you infect windows machines just by sending a skype message. Now you got to pay :( - or understand russian :)

  8. Re:why does skype have "massive code" anyway? by AHuxley · · Score: 2

    PRISM

    --
    Domestic spying is now "Benign Information Gathering"
  9. Re:Russians! by greenwow · · Score: 2

    We don't have any evidence of it, but the media wouldn't be talking about it so much and for so long if it wasn't true.

  10. Circle jerk by duke_cheetah2003 · · Score: 4, Interesting

    What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client.

    Man I gotta hand it to whomever at Microsoft actually convinced their boss to go this route. There was a MSN messenger once, you know, Microsoft's IM client, they dumped it and bought Skype. Now they're dumping Skype for inhouse MSN messenger 2.0? Hahahahaha nice job.

  11. Re:Open Source Rules! by Hal_Porter · · Score: 2

    Not everyone operates in the US tribal mindset where criticising Tribe A means you're automatically a member of Tribe B. Maybe both tribes have downsides.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  12. Re:why does skype have "massive code" anyway? by swilver · · Score: 2

    It's a huge mess. I can't even get voice/video calls to work through a firewall as it requires like 20 different rules for all sorts of ports -- it's ancient code, written in an ancient time when every new feature required its own port and protocol.

    Compare that with Hangouts or Slack (the client), which just works out of the box without any changes to my firewall.

    Besides, I'm sure 90% of the code is the bolted on library for serving you ads in the middle of your face.