Updated February 15, 2018: Microsoft has provided an update on this issue, stating that it was corrected in a new version of the Skype installer made available in October. "There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower," Microsoft says. "The issue was in the program that installs the Skype software – the issue was not in the Skype software itself. Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website skype.com." The original story follows.
A bug has been found in Skype's update process which could give an attacker system-level privileges if exploited. However, it appears that Microsoft won't be fixing the bug any time soon.
ZDNet reports that Microsoft is aware of the bug, but says that it requires "too much work" for an immediate security fix. From ZDNet:
But Microsoft, which owns the voice- and video-calling service, said it won't immediately fix the flaw, because the bug would require too much work.
Stefan Kanthak, the security researcher who discovered and described the bug, explained that the issue lies in Skype's updater, which runs as a separate executable file. The executable is vulnerable to DLL hijacking, which could be used to trick the application into loading malicious code. An attacker could use this vector to gain system privileges, which would allow them to "do anything," Kanthak told ZDNet.
Microsoft was alerted to the vulnerability in September, but it says it "would need a large code revision to prevent DLL injection." Rather than issue a security update, Microsoft says instead that a fix will be released with a newer version of the client while the current version "will slowly be deprecated."
It's worth noting that this only applies to the desktop Skype app and not the Universal Windows Platform (UWP) version available from the Microsoft Store.
We may earn a commission for purchases using our links. Learn more.
Benchmarking the new Surface Book 3 15 with GTX 1660 Ti and 10th Gen i7
Although it's too early for a review, here are some initial benchmarks from the new Surface Book 3 15-inch with a Core i7 and NVIDIA GeForce 1660 Ti (Max-Q) and how it compares to Surface Book 2 and other premium laptops. Spoiler: While the CPU is just OK, that 1660 Ti definitely bumps up the Book 3's potential.
Developers weigh in on Microsoft's all-digital Build 2020 conference
Microsoft had to hold Build 2020 as an all-digital event. Developers from around the web shared their thoughts on Microsoft's all-digital conference and the biggest announcements from the event.
Review: Sabrent's Rocket Q SSDs are fast, well-priced and go up to 4TB
Sabrent has a new SSD range available in the form of the Rocket Q. These new NVMe SSDs use QLC NAND, but offer impressive speeds and storage capacities at affordable prices. Check our full review to see how they compare against other SSDs.
Make the most of your Surface Pen and Slim Pen with these awesome apps
To really maximize the ability of the Surface Pen and Slim Pen, there are some essential apps you should check out. We've rounded up the best right here for a variety of purposes.