Instead of immediately fixing a critical vulnerability in its Skype application, Microsoft has decided to wait and include a possible fix in a new version of Skype which the company may launch in the near future, a researcher has alleged.
A critical vulnerability in Skype’s update installer allows a hacker to exploit it to gain full control of a device and to install additional malware on the compromised device.
Security researcher Stefan Kanthak recently discovered a “system-level” security vulnerability in Microsoft’s Skype application that allowed a hacker to gain full control of a computer and to use his/her access to either steal or monitor user data or to install additional malware.
He said that by using a sophisticated DLL hijacking method, a hacker can exploit the vulnerability in Skype’s update installer to gain access to a computer. Using this technique, a hacker can trick Skype into using a malicious code instead of a standard Microsoft code.
‘The attacker exploits the functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the attackers’ rogue DLL rather than the legitimate DLL,’ noted Capec, a well-known security website.
‘For instance, an attacker with access to the file system may place a malicious ntshrui.dll in the C:\Windows directory. This DLL normally resides in the System32 folder. Process explorer.exe which also resides in C:\Windows, upon trying to load the ntshrui.dll from the System32 folder will actually load the DLL supplied by the attacker simply because of the preferential search order. Since the attacker has placed its malicious ntshrui.dll in the same directory as the loading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe is loaded during the boot cycle, the attackers’ malware is guaranteed to execute.
‘This attack can be leveraged with many different DLLs and with many different loading processes. No forensic trails are left in the system’s registry or file system that an incorrect DLL had been loaded,’ it added.
It added that the vulnerability can be resolved by fixing the Windows loading process to eliminate the preferential search order. This will ensure that the loading process will only load the standard Microsoft code instead of codes injected stealthily by attackers. At the same time, signing of system DLLs will ensure that unauthorised DLLs injected by attackers will be detected and removed.
However, despite the vulnerability being critical enough to affect desktop users of the Skype application, Kanthak said that Microsoft is not keen on fixing the issue immediately as the process could be time-consuming and may involve too much workload.
Instead, he alleged that Microsoft aims to fix the vulnerability in a new version of Skype which it will launch in the near future.
“The engineers provided me with an update on this case. They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update.
“The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client,” he said.
“Although the details are still a bit unclear, Microsoft’s reluctance to fix the issue suggests that this is a flaw in the architecture or design of the software rather than a simple or even complex bug in the code. This highlights an important distinction that often gets overlooked,” says Jim DelGrosso, senior principal consultant at Synopsy.
“Bugs, which can often be identified with automated tools or manual code review, are discrete coding mistakes that can be addressed by modifying the affected parts of the code. Flaws are defects in the architecture or design of a software system and may require extensive reconstruction to mitigate the risk.
“This also highlights the importance of secure architecture and design at the outset of a software development project. It requires some effort and expertise on the front end, but it can avoid expensive or seemingly futile remediation efforts in the long run,” he adds.
If DelGrosso’s hunch is right, then it signifies how a basic flaw in the architecture or design of Skype’s update installer immediately puts all desktop users of the application at risk of invasion of privacy. Microsoft’s decision to fix the vulnerability by launching a new version of Skype instead of investing time and money on the existing platform does suggest that the vulnerability arose as a result of a serious design flaw.
The only way Microsoft can protect Skype users from being victimised by hackers is by launching the new version of the application without delay or by providing consumers a timeline of how long it could take to resolve the flaw in the current version of Skype so that they can take remedial measures in the meantime.