Skype Flaw Fixed in v.8

Topic

New Reply

That terrifying ‘unfixable’ Microsoft Skype security flaw: THE TRUTH
Oh yeah, we patched that in October, Windows giant yawns

By Shaun Nichols | February 15, 2018

 
Microsoft has poured a bucket of cold water on people freaking out over a supposedly unfixable security flaw in Skype.

The infosec world was atwitter this week over fears and headlines of a nasty bug in Redmond’s video chat app that apparently cannot be addressed without a massive code rewrite. That the programming blunder was so major, it cannot be simply patched, and Microsoft will have no option but to reengineer Skype for Windows and issue a new release sometime in the future.

Well, it was fixed in October.

Far be it from us to run to Microsoft’s rescue, but the vulnerability is present in Skype for Windows versions 7.40 and lower. In October 2017, Microsoft released version 8 without the flaw, so if you kept up to date, you’re fine. If you’re running version 7 for some reason, get version 8.

 
Read the full article here

2 users thanked author for this post.

Elly, MrBrian

Reply | Quote

Replies

Which is great and all, but Skype 8’s GUI is an absolute mess which is why everyone has avoided upgrading, or even went back to 7 after trying that Trainwreck. I’m still using 7.40.0.103, so until this flaw starts getting exploited bigly, I’ll stick with it. If I upgrade, it won’t be Skype 8 (That’s a downgrade), It’ll be to another client that isn’t Skype.

Reply | Quote

I’ve been anxious about this since hearing of it a few days ago, but other than “update to Skype 8,” there seems to be no given solution to this issue for OSes below Windows 10. Which… well, I’ve heard things about Skype 8, mostly unflattering. The greatest irony is that I haven’t been offered updates for Skype in months, and even with a manual “Check for updates,” it claims I have the latest version. I suppose I would need to uninstall and reinstall Skype if I wished to continue using it? Is there any downside to switching to Web Skype instead?

Reply | Quote

So if the bad guys somehow get access to your computer (via some other exploit) and they have write access to the windows folder (read as: admin privileges) they can drop a DLL there and use it to take admin control of your system.

So if they have _already_ taken over your computer this flaw will allow them to take over your computer…

Did I miss something?

Reply | Quote

The folder involved is %SystemRoot%\Temp\, which doesn’t need admin privileges to be written to.

Reply | Quote

Interesting, I’ve always taken that folder to be admin read/write only. But on further review I see that “users” have traverse (folders) / execute (files), create/write files, and create folders / append data (files).

Users just don’t have read permissions for the folder, but they can write/create files with known fixed path and have full permissions for anything they are owner/creator of.

This seems like bad design in windows. Windows/temp should be the admin (only) temp folder. Otherwise %temp% should be used.

Programing error wise it sound down right simple to fix, compile skype to use DLLs (& temp folders) correctly.

Reply | Quote