Microsoft fixed serious Skype installer security flaw in October [Updated]

Updated February 15, 2018: Microsoft has provided an update on this issue (opens in new tab), stating that it was corrected in a new version of the Skype installer made available in October. "There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower," Microsoft says. "The issue was in the program that installs the Skype software – the issue was not in the Skype software itself. Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website skype.com." The original story follows.

A bug has been found in Skype's update process which could give an attacker system-level privileges if exploited. However, it appears that Microsoft won't be fixing the bug any time soon.

ZDNet reports that Microsoft is aware of the bug, but says that it requires "too much work" for an immediate security fix. From ZDNet:

But Microsoft, which owns the voice- and video-calling service, said it won't immediately fix the flaw, because the bug would require too much work.

Stefan Kanthak, the security researcher who discovered and described the bug, explained that the issue lies in Skype's updater, which runs as a separate executable file. The executable is vulnerable to DLL hijacking, which could be used to trick the application into loading malicious code. An attacker could use this vector to gain system privileges, which would allow them to "do anything," Kanthak told ZDNet.

Microsoft was alerted to the vulnerability in September, but it says it "would need a large code revision to prevent DLL injection." Rather than issue a security update, Microsoft says instead that a fix will be released with a newer version of the client while the current version "will slowly be deprecated."

It's worth noting that this only applies to the desktop Skype app and not the Universal Windows Platform (UWP) version available from the Microsoft Store.

See at Microsoft (opens in new tab)

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl

56 Comments
  • Bunch of muppets, they have destroyed Skype.
  • Its time to kill Skype.
  • I could make so many jokes regarding this issue and Skype sucking currently, it's just not worth going there anymore.
  • Skype has been shoved down the corporate users throat -- they have no choice but to use it.  The company I worked for replaced messaging apps, phone lines and remote sharing with the crappy bloated software.   Kickbacks from MSFT to the IT decision makers must have been pretty sweet.   So why care about quality and moving fast to fix bugs when your corporate customers are at your mercy? 
  • @Intosh, you're confusing Skype with Skype for Business, which is really just a rebranded Lync. Totally different products.
  • Not to mention the plenty of alternative solutions that does not make you dependent on it.
  • Funny enough, for some reason my Skype for Business is still branded Lync. All of my peers are now on Skype for Business, but mine won't update to new version. And, it's all the same, so not worth dealing with IT. lol
  • Skype for Business is being deprecated and replaced by Microsoft Teams, which is so much better. The company I work for is starting to roll out and you can hear the sighs of relief as you walk the halls. Hopefully your org gets it soon too.
  • "requires 'large code revision' to correct" Yeah, nothing new in Skype.
  • To those ********, you know better? Than make something better!
  • That's such a ridiculous aphorism. I can't make a decent chair, but if I sit on one and the leg breaks I can easily identify it as a rubbish chair. Basically, unless you are entirely self sufficient, using this kind of comment makes you look a bit bonkers. If you are entirely self sufficient, it makes you look like you have no clue how the rest of the world works. I've written a comms utility before now, and I have all sorts of bugs with the third party software I use that I would like corrected, but unsurprisingly I'm not in a position to give up my job and divert all my time to making everything I use in my life myself. Especially not to satisfy your requirements before I am allowed to point out that the products made by others sometimes have serious problems that need fixing.
  • Well said
  • "It's worth noting that this only applies to the desktop Skype app and not the Universal Windows Platform (UWP) version available from the Microsoft Store." And this is why UWP and the Store are the future.
  • The thing is they could easily use the centinnel bridge to convert the win32 app into a store app and then build upon that. The other benefit is that it shows developers how converting Win32 apps can be beneficial. Thus adding more fuel to store app growth.
  • What they already did with Office. So no need in that regards. And yes, a non-UWP win32 app would have done great on a mobile device.
  • @Gregorius Magnus. Office is a productivity suite whereas skype is a communications platform (apparently) therefore vastly two different things.
  • But Outlook is part of Office, so Office is a communications platform too? Not so vastly different.
  • @AndyCalling Can you do group calls, send IMs, video chat, voice chat etc via the outlook app? Skype also provides back end services for Microsoft's web casts. So yes, it is vastly different than outlook. Outlook is primarily geared around email and it is not a 'communications platform'
  • And you could say that basically about any of the Microsoft apps. They don't intend to proggram anything twice unless it used UWP instead of Win32. So which of your argument do you expect to support with the other now? I don't see a point in what you are saying. And how is communication coming suddenly to your thesis "convert win32 app into store app...to build on it" "...show developers how converting..."
  • Three words:
    cumulative organic growth .
  • desktop bridge is only a temporary fix. uwp is the future of app development, according to Microsoft.
  • That wouldn't mitigate the problem though, the UWP version doesn't have this issue as it doesn't rely on any of the aging win32 components.
  • Not if the software in the store is not the same as the desktop version. The UWP version looks awful and from what I have read about it is nothing like the desktop version. Also who is to say that this could not happen with software from the store? I use the desktop version of Skype because it allows me to log in using a Skype name, the last time I used a Skype app it wanted me to log in with an MS account. thankfully i still have a versions of Skype desktop.
  • I hate to break it to you but a Skype account is also a Microsoft Account. Login to accounts.microsoft.com to see.
  • Long story short, if you want the reliability of the Win32 version of skype, want to keep using that version of Skype and want Microsoft to fix it. You'd have better chances swimming to pluto whilst being chased by a shark driving a bus as it chucks lightning bolts at you.
    My point?
    The skype team have lost the plot completely and are just going through the motions of doing "work".
    The UWP version is utter tripe.
    But I get the unwillingness, lack of resources. But even then Skype has been failing miserably for a very long time.
  • Considering sharks can't drive, or have the opposable thumbs required for throwing things, I like my odds there. I just need to learn to swim in space ...
  • Haha.
  • They could be mutant sharks though!!
  • The last paragraph mentioned that this problem effects only the desktop version of Skype, not the UWP version. Generally speaking, how do I know which version I'm running?
  • If you installed it from the Microsoft Store app, it's the UWP version.
  • Way to go Microsoft. Leaving bugs unrepaired will certainly endear you to the corporate clients you depend on now that you aren't interested in consumer sales.
  • Don't confuse Skype with Skype for Business, Skype for Business is just a rebranded version of Lync.
  • Dumped.
  • Another reason Store apps and UWP are better than the old versions. I use Skype constantly for audio and video conferencing, for SMS text messages mirrored between my phone and PC, and for standard Skype text messaging throughout the day with my wife. UWP/Store version does it all beautifully.
  • Lazy ass programmers.. All of the AAA coders have gotten old and retired from Microsoft.. Sad but thats life...
  • Or they are simply told to work on something else than legacy apps.
  • Not surprising. MS has long since thrown in the towell on making Skype a good program. I don't know what needs to happen, but Microsoft had better start trying to get great developers again, but that is also a tough battle as the great ones don't want to work for MS.
  • They do. But they cost more than most programmers from frequent regions of the world.
  • Heh.. The fact that you do not know what needs to happen to make people lile it, likely means that they do not either ^_^
  • Welp, no biggie since everyone I know stopped using it years ago. *sad*
  • There's no excuse for leaving the software in a vulnerable state, this is the same company that will try and force upgrades citing "security" when it makes them money but when there's no profit their hypocrisy is revealed, along with the mindless sheep bleating their agreement.
  • And basically you described an Enterprise. 😄 But let me know of a top20 company that is based on charity. Or are you still sad that Windows ME is in a vulnerable state?
  • MS could be pushing out this "new version" tomorrow. Why issue a quick fix when a solution is already ready and waiting to be deployed? All the user has to do is update when it's available. It's no different than any other update. The vulnerability is news, but Microsoft's actions aren't news worthy. It's just normal update process.
  • Never used Skype anyway, not one of my friends/contacts actually has it so it's pointless to me. WhatsApp, FB messenger and good old SMS does the job
  • Once again, MSFT giving the middle finger to their loyal base. Maybe if they stopped bowing down to Apple and Android customers and working so hard on apps for those users, they'd have the time needed to fix this security flaw..I mean hell, they still haven't even fixed the emoji issue on Windows 10Mobile.  
  • What about Skype for Business???
  • Nevermind, I forgot it's a rebrand of Lync
  • "a fix will be released with a newer version of the client" Has everyone commenting missed this part??? Microsoft is saying the issue is fixed, and instead of pushing out an update just for this they will release it as part of a newer version of Skype. All the end user has to do is install the update when it's available. How is that different than any other update? The new version could be out tomorrow (probably not).
  • so skype for business is screwed
  • Nope, Skype for Business is a rebranding of Lync so it doesn't have this issue.
  • The UWP version of Skype doesn't have this issue. And what's up with Microsoft Edge? I can't post cooments in the Windows Central forums.
  • I would try posting a comment instead, cooments are incompatible.
  • Sad to see all of these comments condemning Skype, but i guess it's not you guys fault. It's the sites pushing these lies.
  • LOL, fake news again.
  • Big issue with the UWP app: it basically disabled power management on laptops. Took me a week to find out why my laptop stopped turning the screen off or going to sleep. After some research found yearS old threads about it. Uninstalled the UWP app, issue went away immediately.
  • I use the UWP app and have had zero issues with power management and unless others have reported the same issue then I would look elsewhere first before blaming Skype.