A security flaw in the Skype update process can allow an attacker to gain system-level privileges on a vulnerable computer.
“…the error, if exploited, can derive a local user who does not have privileges to the full-level rights of the system, granting access to every corner of the operating system”, told an information security expert.
As explained by the company, at least for now they will not solve the problem. The reason is that solving this security flaw requires a lot of work.
Cyber security researcher Stefan Kanthak has discovered that the Skype update installer could be exploited with a DLL hijacking technique. This allows an attacker to trick an application into creating malicious code instead of the correct library.
Consequently, an attacker would have the possibility of downloading a malicious DLL into a temporary folder accessible to the user. Once this is done, you can rename an existing DLL that can be modified by an unprivileged user, such as UXTheme.dll. The error works because the malicious DLL is found first when the application looks for the DLL it needs.
Kanthak, indicates that a script or malware could remotely transfer a malicious DLL to that temporary folder. He adds that Windows offers several ways to do it.
In addition the cyber security expert said that once an attacker obtains the necessary privileges, he could do anything. From there, an attacker could steal files, delete data or hijack them by running ransomware.
Kanthak informed Microsoft about this error. However, the software giant said that issuing an arrangement would require a major code review. They affirmed that a new version would arrive, beyond a simple cyber security review.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.