Skype Is Vulnerable to a Nasty Exploit: Switch to the Windows Store Version

移动互联 2018-02-15

If the desktop version of Skype is on your Windows computer, you’re vulnerable to a really nasty exploit. A flaw in Skype’s update tool could give attackers full control over your system, and Microsoft says there isn’t going to be a fix any time soon.

Happily, you can avoid the problem completely by replacing the “desktop” version of Skype with the one available from the Microsoft Store . Still, it’s embarrassing for Microsoft’s own software to have a weakness this fundamental, and the exploit in question is one Redmond has warned other developers about multiple times.

Here’s what this exploit works, and how you can make sure you’re using the safe Windows Store version of Skype.

What’s Wrong With Skype?

Updating software is supposed to keep you secure, but ironically in Skype’s case, updating is the problem. That’s because the flaw here isn’t with Skype itself, but rather the tool Skype uses to find and install updates. This update tool is vulnerable to DLL hjjacking, as researcher Stefan Kanthak outlines :

This executable is vulnerable to DLL hijacking: it loads at least UXTheme.dll from its application directory %SystemRoot%Temp instead from Windows’ system directory. An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in %SystemRoot%Temp gains escalation of privilege to the SYSTEM account.

Basically, Skype runsDLLs from the Temp folder, which users can access without administrator rights. This makes it trivial for bad actors to switch out the DLLs and gain system level control over your computer. It’s the kind of vulnerability Microsoft specifically warns developers to avoid , but Microsoft’s Skype team seems to have missed that particular memo.

And it gets worse. Microsoft told Kanthak they “were able to reproduce the issue,” but there won’t be issuing a patch issued to solve the problem. Instead, Microsoft plans on solving the problem during the next major release of Skype—it’s not clear when that will be.

That’s…not ideal. Thankfully, there’s an alternative.

The Solution: Use the Windows Store Version

Microsoft offers two versions of Skype for Windows: the “Desktop” version, which has been around for ages, and the Universal Windows Platform (UWP) version, which you can download from the Microsoft Store app bundled with Windows. Only the desktop version is vulnerable to this particular exploit, because only the desktop version uses its own update tool.

Microsoft has been pushing users to the Microsoft Store version of Skype for a while: the Skype download page directs users to the Store, for example. But many users still have the desktop version on their systems, and they should uninstall that and only use the Store version if they want to stay safe from this exploit.

How can you tell which version you have? The simplest way is to search for “Skype” in the start menu. If you see the words “Trusted Microsoft Store app” below Skype’s name, you’re probably covered.

The two apps also look completely different. Here’s the “desktop” version:

If your Skype looks like this, you’re vulnerable to the exploit. You should uninstall Skype, then download the Microsoft Store version .

Here’s the Microsoft Store version:

If your Skype looks like this, you’re safe: updates for this version are handled using Microsoft Store, so the vulnerability is not relevant.

It’s unfortunate that Microsoft won’t just patch this vulnerability, but at least there’s a working version of Skype that’s locked down. And while the interface and features of the Microsoft Store version will be an adjustment, things like calling and chat work just fine in our tests, even if the interface offers fewer options. And hey: there’s no ugly ads on the Store version, so that’s a plus.

How To Geek

责编内容by:How To Geek (源链)。感谢您的支持!


Microsoft will release Xbox One X pre-order detail... Microsoft will open pre-orders for the Xbox One X soon, according to Xbox chief Phil Spencer. The news comes via a tweet Spencer wrote on Sunday eve...
Integrate your Microsoft Intune device enrollment ... May this year Microsoft announced a new capability of automatically enroll devices in Microsoft Intune as part of joining devices in to Azure AD (Prem...
微软中国区人员变动 邹作基任COO 速途网7月4日消息(报道:李楠) 今天,微软公司宣布,微软香港公司总经理邹作基(Horace Chow)将接替罗荣力(Philippe Rogge),担任微软中国区首席运营官(COO)。 据速途网了解,邹作基将全面负责和管理微软中国的业务,并直接向微软公司资深副总裁,大中华区董事长兼首...
微软Arrow Launcher改名Microsoft Launcher 最新预览版已经发布... 微软的车库应用Arrow Launcher,一个Android的桌面体验方案已经改名Microsoft Launcher并出现在Google Play Store。微软表示这种流畅的设计、可定制的强大启动器相信可以给Android用户带来方便。最新版的Microsoft Launcher可以轻松访问...
微软宣布Office 2007于今年10月10日停止服务... 根据微软官方消息,微软公司Office 2007办公软件将于今年10月10日停止服务,而且也不再支持特殊合约形式的延长支持。所谓停止服务就是微软不再提供任何安全补丁、功能更新和BUG修复,对于企业级用户来说,可能受影响颇深。 对此,微软建议企业和个人,更新或升级到 Office 36...