The fix will land with a new version of Skype, rather than a security update.

Skype has fallen foul of a security flaw that can allow attackers to gain system-level privileges to vulnerable computers, Microsoft has confirmed. However, the company won’t immediately fix the issue because doing so would require a complete code overhaul. The bug was discovered by security researcher Stefan Kanthak, who says the Skype update can be tricked into loading malicious code instead of the right library. An attacker would simply need to put a fake DLL into a user-accessible temporary folder, with the name of an existing DLL that could be modified by anyone without system privileges. Anyone trying to hijack your PC would need access to your file system obviously, but according to Kanthak, once system access is granted, an attacker “can do anything”.

Leave a Reply