MS take ostrich head in sand approach to critical Skype security cock up.
‘No interest in fixing’
Stefan Kanthak was hunting bugs when he came across a real doozy in Skype. He reckons MS told him they’ve got no interest in fixing it. Nice one, Redmond!
If a Naughty Person makes an exploit to take advantage of the gaping hole, they can get full control of the target machine. We’re talking system level vulnerability.
It means you’d be totally pwned. Someone would have complete control of your box. Downloading files, keystroke loggers, backdoors and other malware.
After much testing, Kanthak deduced the whole problem is to do with the Skype update installer. Something designed to actually fix security holes…
According to CAPEX, attachers can use this vulnerability to exploit the “Windows DLL loader, where the process loading the DLL searches for the DLL to be loaded first in the same directory in which they process binary resides and then in other directories”.
They went on: “Exploitation of this preferential search order can allow an attacker to make the loading process load the attackers’ rogue DLL rather than the legitimate DLL.”
Kanthak added: “An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in ‘%SystemRoot%\Temp\’ gains escalation of privilege to the SYSTEM account.”
He claims he told MS, but they said it would take too long to fix as a security update, so would hang on until a new release and just cross their sweaty little fingers that no one made an exploit between now and whenever that date might be .
Too slow, MS
As if this makes it ok, they mumbled:
“The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client.”
Which translates roughly to: “Meh, we’ll fix it later, possibly”.
Thanks Redmond, you fill us with confidence on a daily basis.