Microsoft has had a bad time last month after the potential threat linked to Spectre and Meltdown, affecting almost all major chip makers including Intel, AMD, and ARM was uncovered. Microsoft issued an update to resolve it but that also went wrong, wrecking some AMD-powered PCs. And now, the software giant is looking forward to resolving another major security flaw in Skype for Windows but it needs more time for that.
Recently, a security researcher Stefan Kanthak has discovered a bug which may cause a Skype update into loading malicious code instead of the right library. The hacker would simply need to put a fake DLL into a user-accessible temporary folder, with the name of an existing DLL that could be modified by anyone without system access. As of now, Microsoft has confirmed that Skype is currently experiencing a security flaw that can endow attackers with system-level access.
However, Microsoft will not immediately fix the issue because doing so would require a complete code revamping. The bug is attributed to the Skype automatic update function which can be altered to trick the application into allocating permissions by inserting incorrect code. According to Kanthak,
“They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update.”
It appears that Microsoft will not be issuing a security update instead Skype will undergo a major revision later in which the bug will get fixed. According to an official statement by the company,
“We have a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our Update Tuesday schedule.”
It must be noted that the security flaw is only limited to the full Skype program on the desktop, meaning users of the Universal Windows Platform (UWP) application will face no issues.