Skype is reportedly refusing to patch a security vulnerability in its updater process which could allow an attacker to gain system level privileges on a vulnerable computer.
If exploited, the bug can allow a local privilege user to escalate themselves to the full "system" level rights granting access to every corner of the operating system in and attack the could easily be weaponized in a malicious script of malware.
Security researcher Stefan Kantha spotted the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library, according to ZDNet.
Kantha told the publication an attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user. When the app searches for the DLL it needs, it finds that malicious DLL first, enabling the attack the work.
Once the exploit has been installed, Skypes own built in updater keeps the software up to date but when the updater runs, another executable file is used to run the update which is vulnerable to hijacking.
The DLL hijacking attacks can be carried out on Windows, Mac and Linux and the attacks could ultimately allow an attacker to steal files. Microsoft, Skypes, parent company, was notified about the bug in September but said that issuing a fix would require the updater to go through “a large code revision,” Kantha told the publication.
Jim DelGrosso, senior principal consultant, Synopsys told SC Media Microsoft's reluctance to fix the vulnerability suggests that this is a flaw in the architecture or design of the software as opposed to a simple, or even complex, bug in the code.
“This highlights an important distinction that often gets overlooked -- Bugs, which can often be identified with automated tools or manual code review, are discrete coding mistakes that can be addressed by modifying the affected parts of the code,” DelGrosso said. “Flaws are defects in the architecture or design of a software system and may require extensive reconstruction to mitigate the risk.”
DelGrosso added the issue also highlights that secure architecture and design requires effort and expertise on the front end in order to avoid expensive or seemingly futile remediation efforts in the long run.