Skype Desktop Vulnerability
A several weeks ago, Microsoft was informed of a vulnerability (a hole) affecting the Skype application. Since Skype is part of the Windows OS, and you do not have to go out of your way to install it, today’s post provides a simpler explanation of the problem and solutions to minimize your private data exposure.
The Problem
Just like your local library, windows’ applications have a location that provides a centralized repository of reusable information. In the operating system (OS), this is called Dynamic Link Library (DLL). The software developers can use already created common tasks instructions from this library. For example, warning messages, updater instructions, annoying pop-ups, etc.
The issue here is that the library with instructions (DLL) for the updater of the Skype Desktop version has a vulnerability. The vulnerability allows an attacker elevated access to your system without using an administrator’s password. This happens when the application is looking for the updating DLLs and a fake version is loaded instead.
For Microsoft to be able to fix this hole, it will require a full rewrite of the Skype’s update installer. This is why Microsoft is not planning to create a patch to cover this hole, instead, they are creating a whole new Skype version, which will take them some time.
The patch will not be created because, in reality, this is a hole that will require the user to make a series of mistakes before it can be penetrated. The infected DLL file needs to be introduced to your system for the installer to use it; this can only happen by you clicking on attachments from a suspicious email or compromised websites.
Imagine that your neighbor asked you to cover a hole in your backyard fence because his dog could get injured. Are you going to spend money to expedite the solution (for something that would only be an issue if the neighbor’s dog jumps the 15-foot fence surrounding your patio)
The solution
Until the new Skype application is available, below are several things you can do to help minimize your risk.
- Uninstall the desktop version of the application - you can get the application directly from the Microsoft webpage
- If you decide to keep using the application version, do not click on suspicious emails or websites
- Keep your antivirus updated, run periodic system scans and scan downloaded files before opening them
