Skype can't fix a nasty security bug without a massive code rewrite (low-level user access)

[LASER_oneXM]

The bug grants a low-level user access to every corner of the operating system.

A security flaw in Skype's updater process can allow an attacker to gain system-level privileges to a vulnerable computer.

The bug, if exploited, can escalate a local unprivileged user to the full "system" level rights -- granting them access to every corner of the operating system.

But Microsoft, which owns the voice- and video-calling service, said it won't immediately fix the flaw, because the bug would require too much work.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs.

Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking.

Once "system" privileges are gained, an attacker "can do anything," Kanthak said.

"'System' is 'administrator' on steroids," he added.
From there, an attacker could steal files, delete data, or hold data hostage by running ransomware.
Kanthak informed Microsoft of the bug in September, but the software giant said issuing a fix would require the updater go through "a large code revision."
The company told him that even though engineers "were able to reproduce the issue," a fix will land "in a newer version of the product rather than a security update."

Instead, the company said it's put "all resources" on building an altogether new client.

 

[Deleted member 65228]

They are wrong.

They can patch this vulnerability effortlessly. All they need to do is patch LdrLoadDll (NTDLL) and verify that all modules attempting to be loaded are digitally signed by Microsoft and that the digital signature is verified.

It might reduce performance for the updater a little bit but it isn't really all that bad and it would do the job.

Moving on, they should have known better and designed the product to operate in a secure fashion.

 

[Deleted member 65228]

To explain further.

1. LoadLibraryA/W
2. LoadLibraryExA/W
3. LdrLoadDll

That's why you want to patch LdrLoadDll over LoadLibraryA/W or LoadLibraryExA/W. LdrLoadDll is exported by NTDLL and while it's technically "undocumented", it's very straight forward to make use of (and patch) the routine. LdrLoadDll is called by LoadLibraryExA/W, and LoadLibraryExA/W is called by LoadLibraryA/W. LdrLoadDll will call some non-exported routines with the beginning name "Ldrp" (e.g. LdrpLoadDll).

typedef NTSTATUS(NTAPI *pLdrLoadDll)(
        PWSTR SearchPathInfo OPTIONAL,
        PULONG LoadFlagsInfo OPTIONAL,
        PUNICODE_STRING ModuleNameInfo,
        HMODULE *BaseAddress OPTIONAL
);

The UNICODE_STRING structure has a field named Buffer (data-type PWSTR/PWCHAR/WCHAR*/wchar_t* (however you refer to it - they are just different names for a wchar_t pointer)) which holds the DLL name/path, but LdrLoadDll gets a pointer to that UNICODE_STRING structure.

typedef struct _LSA_UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;

You compare with the Buffer of the PUNICODE_STRING parameter to determine if it's a known module and is accepted to be loaded into the address space of the process, if it isn't then you block the operation by allowing the original call with dummy parameters or return an appropriate NTSTATUS error code. Furthermore, you then check the digital signature if the first stage was passed and if it's still allowed to be loaded then you allow the normal routine to execute by temporarily removing the patch, executing the memory, re-patching the memory and then returning the NTSTATUS error code returned by the execution of the memory in which the function stub was present.

It would take hardly any effort and time to patch LdrLoadDll as a form of mitigating this vulnerability, assuming I've understood the article correctly and the article is correct and up-to-date with information regarding the vulnerability. To my understanding, the Skype updater process (which is privileged) will be fooled into loading a module it shouldn't be via an on-disk DLL hijacking technique... If this is correct, then yes, this technique to mitigate the patch (and any other future DLL hijack techniques which work alike it) will become mitigated, because LdrLoadDll has to be passed before the module can be successfully loaded. Skype will be using documented routines, it probably uses LoadLibraryA/W. In the end, it'll reach the patch in-memory and the attack would be mitigated before the rogue DLL can be properly loaded into the address space of the privileged updater process and execute code.

Microsoft even have their own API hooking engine dubbed "MS Detours".

There you go... Simple. Quick and easy whilst effective.

 

[Solarquest]

That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH

Microsoft has poured a bucket of cold water on people freaking out over a supposedly unfixable security flaw in Skype.

The infosec world was atwitter this week over fears and headlines of a nasty bug in Redmond's video chat app that apparently cannot be addressed without a massive code rewrite. That the programming blunder was so major, it cannot be simply patched, and Microsoft will have no option but to reengineer Skype for Windows and issue a new release sometime in the future.


Well, it was fixed in October.

Far be it from us to run to Microsoft's rescue, but the vulnerability is present in Skype for Windows versions 7.40 and lower. In October 2017, Microsoft released version 8 without the flaw, so if you kept up to date, you're fine. If you're running version 7 for some reason, get version 8.
...
...

 

[Deleted member 65228]

Not to mention that the vulnerability worked via DLL hijacking. Microsoft even have their own policy mitigation features which can be enabled to block non-MS signed modules, etc. Whether the module load is manually invoked or not by Skype, it'd still be enforced if it was enabled (and thus should block the attack)

Please can someone tell me what silly people told news that it was still unpatched and was not going to be fixed.. stupid idea

 

[upnorth]

Far be it from us to run to Microsoft's rescue, but the vulnerability is present in Skype for Windows versions 7.40 and lower. In October 2017, Microsoft released version 8 without the flaw, so if you kept up to date, you're fine. If you're running version 7 for some reason, get version 8.

Great news. But I wasen't able to update version 7 from within version 7 to version 8 as it said " You already have the latest version ". Apparently Not!

 

[Vasudev]

For those wanting to get rid off older 7.40 release, download Skype Desktop App and use W8 Compatibility to install them on W7, W8 and possibly older Windows releases. The UI is same as Droid and iOS as well.

 

[ForgottenSeer 58943]

Skype is largely a surveillance product. I wouldn't use it. NSA put a bounty on breaking skype encryption years ago because Skype had some good security and wasn't based in the USA, out of reach of the fake FISA Court and NSL's.. So then they decided to just have M$ buy it and backdoor it for them through Prism. I'm surprised anyone uses Skype.

NSA offering 'billions' for Skype eavesdrop solution

Newly published NSA documents show agency could grab all Skype traffic

Government Surveillance Through Skype

 

[Deleted member 65228]

The vulnerability fix is only for the Windows 10 version from the Windows Store?

Well if that is the case then the explanation is simple. The Windows 10 version of Skype enforces mitigation policies, exactly what I was referring to earlier today, which prevents DLLs which do not fit the criteria from being loaded into the address space of the Skype processes.

 

[upnorth]

The vulnerability fix is only for the Windows 10 version from the Windows Store?

Thats very interesting but where did you read that?

 

[Deleted member 65228]

Thats very interesting but where did you read that?

Oh, no I was asking as a question hahahaha.

I had the Win32 Desktop version of Skype and it was outdated even though it was telling me there's no more additional updates. However, the Windows 10 Store version updates to the latest 12.XXXXX or whatever without an issue.

Is there an update to the Win32 Desktop version which the default Skype updater isn't finding, or are they forcing you to use the Windows Store version to have an up-to-date and secure version of Skype?

 

[upnorth]

Quote : " There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower. The issue was in the program that installs the Skype software – the issue was not in the Skype software itself. Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website skype.com.

The installer for the current version of Skype for Windows desktop (v8) does NOT have this issue, and it has been available since October, 2017. "

Source : Update on Skype for Windows desktop installer – version 7.40 and lower Ellen Kilbourne is Skypes program manager.

I installed the Desktop version ( version 8.15.04. ) on my Windows 7 machine without any issues from here : Download Skype | Free calls | Chat app

Spoiler

 

[Deleted member 65228]

Thanks mate @upnorth

I need to learn better english reading skills. look who the silly man is now

 

[Vasudev]

@Opcode and others, you can follow my post #7 if you're on W10.

 

[Deleted member 65228]

@Opcode and others, you can follow my post #7 if you're on W10.

I moved to the Windows Store version, I kind of prefer it now but there's some bugs in it which can be annoying sadly.

 

[Faybert]

I still think they should have continued with MSN Messenger

 

[Vasudev]

I moved to the Windows Store version, I kind of prefer it now but there's some bugs in it which can be annoying sadly.

Does Skype setting in UWP app work for you? For me, it didn't work at all.

 

[Deleted member 65228]

Does Skype setting in UWP app work for you? For me, it didn't work at all.

It didn't work for 5 months (literally - it either didn't want to open past the sign in page or it would close down after signing in).

The other day it just started working for me out of no where. I admit that it is still a bit buggy though...

 

[Vasudev]

It didn't work for 5 months (literally - it either didn't want to open past the sign in page or it would close down after signing in).

The other day it just started working for me out of no where. I admit that it is still a bit buggy though...

Me too, It suddenly acted up like that since 3 months and I can't use at all. So uninstalled Skype UWP and am happy desktop app Win32 user now.