Jump to content
CMYKninja

Skype can't fix a nasty security bug without a massive code rewrite

Recommended Posts

Posted · Original PosterOP

Skype can't fix a nasty security bug without a massive code rewrite

The bug grants a low-level user access to every corner of the operating system.

By Zack Whittaker for Zero Day | February 12, 2018 -- 21:28 GMT (13:28 PST) | Topic: Security

 

source: http://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/

 

Quote

A security flaw in Skype's updater process can allow an attacker to gain system-level privileges to a vulnerable computer.

The bug, if exploited, can escalate a local unprivileged user to the full "system" level rights -- granting them access to every corner of the operating system.

But Microsoft, which owns the voice- and video-calling service, said it won't immediately fix the flaw, because the bug would require too much work.

...

Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking.

 

I feel that there are so many ways into systems now, that you have to assume that you are on an insecure system, unless you know it's secure.
For personal it's one thing, but as someone who has sensitive embargoed designs comes across his desk, I get a little worried about the business disruptions, and industrial espionage opportunities.

Even more alarming is this it's too hard to fix, and we're all doomed to getting hacked anyway mentality this seems to be evlolving...

Even Linus says he uses Skype... 

 

Link to post
Share on other sites

Who uses Skype again? I last used that in 2012 lmao. Discord has way better voice and video quality. And the way in general they have it setup is great.


I promote www.floatplane.com

Visit beta.linustechtips.com someday.

 

LTT's official fuckboy

It's gettin' to goddamn delirious around here >.>

Tag me if you need my help, else I won't answer most likely.

 

Specs:
Core i5 8400 (6 CORES!!!!)

Corsair Vengeance 2x8GB 2400MHz

Gigabyte AORUS Gaming Ultra Z370

NVIDIA GTX 960 4GB

Samsung 850 EVO 256GB Solid State Drive

Seagate FireCuda 2TB Hybrid

EVGA SuperNOVA G3 550W PSU

ThermalTake C22 Snow Edition RGB

CoolerMaster Lite L RGB

Corsair Glaive RGB

Asus VP278 Monitor

NZXT Hue+ 3 Pack 120AER RGB Fans

 

NAS (Dell Precision 390):

Core 2 Quad Q6700

Some Nvidia Quadro Card

4GB ECC DDR2

1 2TB WD RED NAS Drive

2x 128GB SSD's in Raid 0

Link to post
Share on other sites

What's even more supprising is that windows 10 likes to push it's products to the machines. Bit worrying if I open Skype for that risk.


Maybe something's cool down here?

 

 

 

System specs are in profile

Just an average guy looking around the forums for something intresting...

Enjoy your memes. ^_^

Link to post
Share on other sites
7 minutes ago, Being Delirious said:

Who uses Skype again? I last used that in 2012 lmao. Discord has way better voice and video quality. And the way in general they have it setup is great.

I still use Skype because I'm not going to bother switching to whatever chat client is the flavor of the month.  If it's not on iMessage, WhatsApp, or Skype then I don't need it.


Workstation: E5-1650v3 || ASRock X99 WS-E || EVGA Titan X SLI || Crucial DDR4-2133 ECC 4x8GB || Corsair AX1500i || 25 gallon loop.

HTPC: Optoma HD142X 1080p Projector || 5820K @ Stock || EVGA X99 micro2 || EVGA GTX 680 || Corsair RM650x || CPU+GPU watercooled 280 rad pull only.

Server VM/Plex/HTTPS/FTP: E5-2699v4 (22 core!) || Asus X99m WS || Zotac GTX 780 || Corsair RM650x || CPU + GPU watercooled 480 rad push pull.

Server Storage: Pent. G3220 || Z87 Gryphon mATX || || LSI 9280i + Adaptec + Intel Expander || 4x10TB Seagate Enterprise Raid 6, 2x8TB Seagate Archive Backup, Corsair AX1200i || Corsair RM450 || CPU watercooled 

On the Shelf:  7700K @ 5.3, Gigabyte Z270 Gaming 9, Zotac GTX 560Ti AMP custom BIOS, 740 GT, 630, 210 w/ DVI port unsoldered (Hint: it can be done but it ain't easy). 

Laptop: HP Elitebook 840 G2.

Link to post
Share on other sites

so is this just for the normal craptastic skype or also for skype for buisness?


I spent $2500 on building my PC and all i do with it is play Paladins & watch anime at 720p...

Builds:

The Toaster Project! Northern Bee! The LAN PC 5.0

 

The original LAN PC build log! (Old, dead and replaced by The Toaster Project & 5.0)

Spoiler

"Here is some advice that might have gotten lost somewhere along the way in your life. 

 

#1. Treat others as you would like to be treated.

#2. It's best to keep your mouth shut; and appear to be stupid, rather than open it and remove all doubt.

#3. There is nothing "wrong" with being wrong. Learning from a mistake can be more valuable than not making one in the first place.

 

Follow these simple rules in life, and I promise you, things magically get easier. " - MageTank 31-10-2016

 

 

Link to post
Share on other sites
Just now, Bananasplit_00 said:

so is this just for the normal craptastic skype or also for skype for buisness?

Skype for Business doesn't get general updates, they're pushing from IT.


Workstation: E5-1650v3 || ASRock X99 WS-E || EVGA Titan X SLI || Crucial DDR4-2133 ECC 4x8GB || Corsair AX1500i || 25 gallon loop.

HTPC: Optoma HD142X 1080p Projector || 5820K @ Stock || EVGA X99 micro2 || EVGA GTX 680 || Corsair RM650x || CPU+GPU watercooled 280 rad pull only.

Server VM/Plex/HTTPS/FTP: E5-2699v4 (22 core!) || Asus X99m WS || Zotac GTX 780 || Corsair RM650x || CPU + GPU watercooled 480 rad push pull.

Server Storage: Pent. G3220 || Z87 Gryphon mATX || || LSI 9280i + Adaptec + Intel Expander || 4x10TB Seagate Enterprise Raid 6, 2x8TB Seagate Archive Backup, Corsair AX1200i || Corsair RM450 || CPU watercooled 

On the Shelf:  7700K @ 5.3, Gigabyte Z270 Gaming 9, Zotac GTX 560Ti AMP custom BIOS, 740 GT, 630, 210 w/ DVI port unsoldered (Hint: it can be done but it ain't easy). 

Laptop: HP Elitebook 840 G2.

Link to post
Share on other sites
Just now, Bananasplit_00 said:

so is this just for the normal craptastic skype or also for skype for buisness?

probably just skype more then likely. Skype for business was mainly used for Office 365 if you had a domain. 


I promote www.floatplane.com

Visit beta.linustechtips.com someday.

 

LTT's official fuckboy

It's gettin' to goddamn delirious around here >.>

Tag me if you need my help, else I won't answer most likely.

 

Specs:
Core i5 8400 (6 CORES!!!!)

Corsair Vengeance 2x8GB 2400MHz

Gigabyte AORUS Gaming Ultra Z370

NVIDIA GTX 960 4GB

Samsung 850 EVO 256GB Solid State Drive

Seagate FireCuda 2TB Hybrid

EVGA SuperNOVA G3 550W PSU

ThermalTake C22 Snow Edition RGB

CoolerMaster Lite L RGB

Corsair Glaive RGB

Asus VP278 Monitor

NZXT Hue+ 3 Pack 120AER RGB Fans

 

NAS (Dell Precision 390):

Core 2 Quad Q6700

Some Nvidia Quadro Card

4GB ECC DDR2

1 2TB WD RED NAS Drive

2x 128GB SSD's in Raid 0

Link to post
Share on other sites

Then rewrite whole thing. It's piece of crap as its stand currently. And God forbids the tragedy which is W10 store version.


Laptop: Acer V3-772G  CPU: i5 4200M GPU: GT 750M SSD: Crucial MX100 256GB
DesktopCPU: i5 4460 GPU: R9 270

Link to post
Share on other sites
Posted · Original PosterOP
20 minutes ago, SC2Mitch said:

Why are people still using Skype? It's fucking ancient 

LMG does didn't they say it in the last WAN Show? 
But let's be honest, small not tech savvy companies are the most at risk because they don't probably can't afford IT teams that control the masses with draconian IT policies...

Link to post
Share on other sites
Posted · Original PosterOP
3 minutes ago, JuztBe said:

Then rewrite whole thing. It's piece of crap as its stand currently. And God forbids the tragedy which is W10 store version.

I agree! if Microsoft is honestly committed to good code and more importantly a culture of quality / security, that's exactly what should be done if need be. They tell the world we're going to spend the $$ to do what's right, that's the value proposition...

Link to post
Share on other sites

Honestly this might be a good time to bring something like MSN back, i still miss it and there has never been a worthy alternative. There have been decent alternatives don't get me wrong but none of them imo have managed to reach the same level.


If you want my attention, quote meh! D: or just stick an @samcool55 in your post :3

Spying on everyone to fight against terrorism is like shooting a mosquito with a cannon

Link to post
Share on other sites
33 minutes ago, Being Delirious said:

Who uses Skype again? I last used that in 2012 lmao. Discord has way better voice and video quality. And the way in general they have it setup is great.

I use it to Skype to my parents overseas weekly.

 

Just because we are used to using it, and I would have to explain to them how to install and use something else otherwise. Also, Skype has a neat feature where you can call landlines and cellphones internationally for pretty cheap. It just all works pretty well, and switching is harder than just keep using Skype, because it is what everyone has.

 

I do wish Skype video/call quality was better. Seems like there have been no real improvements to the whole experience since 2012 or so.

 

Discord might have better quality, but I hate the Discord interface, it is needlessly confusing how to set up.

 

On topic: This "Too much work to fix" is unacceptable! If it is broken, they have to fix it, especially serious security holes.

Link to post
Share on other sites
31 minutes ago, WiViW said:

What's even more supprising is that windows 10 likes to push it's products to the machines. Bit worrying if I open Skype for that risk.

To be fair, they are pushing the UWP version to windows 10 users and not the desktop version.


Behold my signature!

Spoiler

Quick Links

Specs

Spoiler

Laptop (Main Workstation):

CPU: i5-7300HQ (-0.075v offset)

GPU: GTX 1050 4GB (+100MHz core, +200MHz memory)

RAM: 8GB DDR4 (Single DIMM, will upgrade to 32GB once prices drop below $200)

Storage: 1TB SSD (m.2 SATA), 2TB SSHD (2.5in 5400RPM + 8GB Cache)

Notes: Dell Inspiron 5577

 

Desktop (Secondary, mostly for the occasional remote VMs now):

CPU: FX-6300 (3.9GHz, 1.205v)

GPU: RX 480 (1350MHz, 1.050v)

RAM: 16GB DDR3 (4 Corsair Vengeance DIMMs, running at 1333MHz instead of 1600MHz due to stability issues)

Storage: 256GB SSD (2.5in SATA), 1TB HDD (3.5in 7200RPM)

Motherboard: Gigabyte GA-970A-UD3 (Not sure which revision)

Cooler: Cooler Master Hyper 212 Evo (2 Fans, Push Pull)

PSU: SeaSonic G-550
 

Other Equipment:

Router: Synology RT2600ac (Loving that 4x4 MU-MIMO, especially when all devices are 2x2 MU-MIMO)

Console: X-Box One S (Best device for 4k Blu-ray and streaming?)

TV: Vizio E50-E3 (4k 60Hz (240Hz upscaling, but who are we kidding :P), built-in Chromecast)

Phone: Google (LG) Nexus 5x (Running latest Lineage OS 14.1 ROM, Franco r44 kernel)

Headphones: Sades 902 (7.1 Virtual Surround, USB)

Mouse: 2x Logitech G602 (Awesome wireless mouse ;))

Keyboard: Logitech G610 (White backlight & Brown Switches)

Brought to you by your local night theme watchdog

(Signature v0.19c)

Link to post
Share on other sites

Another reason to just bring back Live Messenger. 


AMD Phenom™ II X2 550 @ 3.10GHz | Gigabyte GA-MA785GM-US2H | GTX 550Ti | 4GB Corsair XMS2 | Samsung 850 EVO 250GB | WD 750GB | Antec 300 | Asus Xonar DG | Corsair A50 | OCZ 600W | Windows 10 Pro

Intel Core™ i7-3520M | GT 630M | 16 GB Corsair Vengeance DDR3 | Samsung 850 EVO 250GB | Windows 10 Home  Lenovo IdeaPad P580

Samsung Galaxy A5 (2017) | iPad Mini (iOS 8.4) 

 

Join the Nonsense! Rest in peace Generic Profile Picture club. It was fun while it lasted.

 

Link to post
Share on other sites

Ok, let me explain better than the crappy news article.

  1. It affects Skype DESKTOP app (so Windows 7, 8 users). UWP (Win10 built-in Skype app), Android, and iOS are not affected
  2. The system needs to be infected by a malware to inject code in the DLL files of Skype to make it download the wrong file off the web
  3. the way it affects you (if you are infected) is that it relies on you giving Skype updater admin privileges to allow the update setup to run, which instead of being a Skype update it is some other .exe it was fooled in getting due to the hack.
  4. Technically, this hack actually can affects nearly ALL auto updater systems of programs. You can do it with Firefox, Chrome, Java, Flash, and just about anything else. Technically, you can even infect Steam by rerouting traffic from Steam server for games update to another one, and the moment you run the game, it runs the malware/ransomware.
  5. "Massive code rewrite" is laugthable statement. All that needs to be recoded or patched is the automated updated system to scan for injected code in itself, and find ways that to make sure the data downloaded wasn't from rerouted and is indeed correct (many challenges to solve).

The attack is unlikely to happen, as it would require mass servers and internet bandwidth for the attacker to have in place to support the hundred of thousands if not millions who will be infected, as they'll all have Skype connect to its server that he setup to get the infection possibly at the same time as well. MS has the mass numbers of servers and infrastructure including being a kind of Tier 1 ISP by having direct lines connect to other Tier 1 and Tier 2 actual providers (much like Google, and even Facebook but to a lesser extent). That hacker has no chance to do a real impact... Also, if the malware maker make a solution that it managed to infect people, why not just have it do what it wants to do.. why go through the complication of making Skype download something else, to run as admin, and infect again the system. Just make a ransomware... much easier, if you ask me.. not even need to go past UAC prompt, and that is why they are popular these days.

 

It is clearly a much lower priority issue in Microsoft eyes, as their focus is on Windows 10, Android and iOS, and not the legacy desktop app, and that the risk of infection is clearly viewed to be nothing critical.

 

And this things sounds like an over-hype for attention by the discoverer... I mean with statement like:

Quote

"System is 'administrator' on steroids,"

Sooooo a normal Administrator... true administrator is the highest level you can be on a Windows system. That is like saying "the malware will be a root on steroid!!!"  on a Linux based system. It's root, there is no higher!. You have full access to all!

 

So what is "on steroids"... clearly playing with the lack of technical knowledge of the journalists (basically click-baiting them, making you click-bait.. cleaver, I must say!) to get his name out-there, I guess. Probably him or his company seeks a job?

Link to post
Share on other sites

Who uses Skype these days? Well. Tech companies and reviewers do. I've had contact with reps from various hardware tech companies and resellers over the years. Afaik LMG also uses Skype for stuff. Linus has complained about the separation issues with Skype and Skype for business on wan show atleast two times.

 

But is it a platform for personal use anymore? Not so much. 

Link to post
Share on other sites
14 minutes ago, Cheezdoodlez said:

Who uses Skype these days? Well. Tech companies and reviewers do. I've had contact with reps from various hardware tech companies and resellers over the years. Afaik LMG also uses Skype for stuff. Linus has complained about the separation issues with Skype and Skype for business on wan show atleast two times.

 

But is it a platform for personal use anymore? Not so much. 

Skype is still widely used. It is currently still the best platform for audio and video chat between countries, for most countries, where you have great audio and video quality if both sides have good/decent internet connection and of course webcam/mic.

 

All other platform are designed for small short audio/video messages being transferred, or is more focused on pictures sharing or text sharing over audio/video.

 

Skype of Business is a completely different platform. It is Lync renamed to "Skype". The only similarity that Skype for Business has with Skype, is the name. In any case, Skype for Business is being axed by MS, and switch over to Microsoft Teams which is far more useful for businesses these days, far better, more powerful. It is a totally a different chatting software. It is like Slack, if you know it, with a focus on medium and large business and enterprises, while Slack is more focused on smaller companies. The pricing model of both reflect that as well. MS has the knowledge and expertise to make a good solution for the target audience (medium-large companies and enterprises).

Link to post
Share on other sites
22 minutes ago, Cheezdoodlez said:

[...]Afaik LMG also uses Skype for stuff. [...]

1 hour ago, CMYKninja said:

LMG does didn't they say it in the last WAN Show?

 

Yeah they use it but Linus has been quite clear about how he uses it only because others do, and he'd much rather use something else.  I think it's still around for the same reasons as VGA, Windows XP, and other things like that.  People are used to it, it's everywhere, etc.

 

I mean they even did a comparison of some chat programs and concluded (to paraphrase) that Skype should not be used for any reason xD

It's basically the Internet Explorer of chat programs

Link to post
Share on other sites
2 hours ago, SC2Mitch said:

Why are people still using Skype? It's fucking ancient 

Add me on MSN Messenger


🅱pple Master Race xoxox

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.


×