Microsoft’s Skype for Windows desktop app appears to be suffering from a pretty serious vulnerability, one that the company won’t immediately fix. The security flaw was discovered by Security researcher Stefan Kanthak, who explained to ZDNet that an attacker managing to place malicious DLLs in the needed location of a Windows PC could gain system-level privileges on the machine:
The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder. “Windows provides multiple ways to do it,” he said. But DLL hijacking isn’t limited to Windows, he said — noting that it can apply to Macs and Linux, too.
Once “system” privileges are gained, an attacker “can do anything,” Kanthak said. “‘System’ is ‘administrator’ on steroids,” he added. From there, an attacker could steal files, delete data, or hold data hostage by running ransomware.
To be clear, this security flaw only affects the Skype for desktop app (not the Skype UWP app on Windows 10 PCs), which uses its own its own update installer that is vulnerable to this DLL hijacking technique. Kanthak warned Microsoft about the vulnerability back in September and provided two different mitigations. Microsoft answered him that addressing this security issue would require “a large code revision,” which is why the company plans to fix it “in a newer version of the product rather than a security update.”