A bug has been found in Skype’s update process which could give an attacker system-level privileges if exploited. However, it appears that Microsoft won’t be fixing the bug any time soon.
ZDNet reports that Microsoft is aware of the bug, but says that it requires “too much work” for an immediate security fix. From ZDNet:
But Microsoft, which owns the voice- and video-calling service, said it won’t immediately fix the flaw, because the bug would require too much work.
Stefan Kanthak, the security researcher who discovered and described the bug, explained that the issue lies in Skype’s updater, which runs as a separate executable file. The executable is vulnerable to DLL hacking, which could be used to trick the application into loading malicious code. An attacker could use this vector to gain system privileges, which would allow them to “do anything,” Kanthak told ZDNet.
Microsoft was alerted to the vulnerability in September, but it says it “would need a large code revision to prevent DLL injection.” Rather than issue a security update, Microsoft says instead that a fix will be released with a newer version of the client while the current version “will slowly be deprecated.”
It’s worth noting that this only applies to the desktop Skype app and not the Universal Windows Platform (UWP) version available from the Microsoft Store.