Home > News content

When Skype has a stubborn Bug, Microsoft says it's a lot of trouble and doesn't want to fix it

via:博客园     time:2018/2/14 17:02:25     readed:282


In the Skype update, a security vulnerability is found, and an attacker can get system level privileges from an vulnerable computer.

But this is not the worst, and even worse, Microsoft says it won't fix the flaw immediately, because it needs to do too much work. Microsoft chose to put all the resources into a new client.

The report describes the security loophole:

Stefan Kanthak, a security researcher, finds that Skype update installer can be exploited by DLL hijacking technology, which allows attackers to induce applications to draw malicious code. Attackers can download malicious DLL to user accessible temporary folders, and rename them to existing DLL that can be modified by non privileged users (such as UXTheme.dll).

The principle of this error is that when the application searches for the DLL it needs, it will first find a malicious DLL. Once installed, Skype is updated using its own built-in update program. When the update is run, it uses another executable file to run the update, which is easily hijacked.

Compiled from:ZDNet

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments