As of January, 2018, Skype has been used by approximately 300 million users, according to statistics by Statista. Even though Skype is not the most popular and widely used messenger, its user base still is quite big. So any news regarding a loophole in the security of Skype is troublesome, to say the least.
Such is the case with the recently discovered severe vulnerability in Skype which could allow attackers to obtain full access to the compromised host. This would happen through gaining system-level privileges to a local user with no privileges. The flaw was discovered by security researcher Stefan Kanthak who reported it to Microsoft. The flaw resides in Skype’s update installer found to be vulnerable to DLL hijacking.
The severity of the DLL hijacking vulnerability, however, is not the only issue here. Apparently, Microsoft, the owner of Skype, isn’t planning on fixing the flaw any time soon. The reason is not because the flaw can’t be patched. It’s because patching it would require the software to be entirely re-written. What does this mean? Instead of simply releasing a patch, Microsoft would have to release a brand new version of the messenger.
More about DLL Hijacking Vulnerability
In case of such an attack, hackers would exploit the functionality of the Windows DLL loader. “Exploitation of this preferential search order can allow an attacker to make the loading process load the attackers’ rogue DLL rather than the legitimate DLL,” researchers explained. More specifically:
An attacker with access to the file system may place a malicious ntshrui.dll in the C:\Windows directory. This DLL normally resides in the System32 folder. Process explorer.exe which also resides in C:\Windows, upon trying to load the ntshrui.dll from the System32 folder will actually load the DLL supplied by the attacker simply because of the preferential search order.
Since the attacker has placed its malicious ntshrui.dll in the same directory as the loading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe is loaded during the boot cycle, the attackers’ malware is guaranteed to execute.
All of the above means that the attack leveraging the Skype DLL hijacking flaw can happen using a range of DLL files with various loading processes. The worst part is that no trails are left in both the registry and file system indicating that an incorrect DLL had been previously loaded.
In case of a successful hijacking of the update process, the attacker would download and place the maliciously crafted DLL into a temporary folder. When Skype’s update installer attempts to locate the relevant DLL, it will locate the malicious one instead, and will install the maliciously crafted code.
Even though Kanthak, the researcher who reported the flaw, tested the attack on the Windows desktop version of Skype, he believes that the same DLL hijacking technique could be used against other operating systems like Linux and macOS. It should be noted that the exploit of the flaw works on the desktop version of Skype.
Vulnerabilities in Skype Not a New Thing
In June, 2017, another severe flaw was found in Skype. The flaw was given the CVE-2017-9948 identifier and was a stack buffer overflow one in Microsoft Skype 7.2, 7.35, and 7.36 before 7.37. The flaw involved MSFTEDIT.DLL mishandling of remote RDP clipboard content within the message box, as explained by researchers. The highly severe vulnerability was disclosed on 16th of May, 2017.
The vulnerability was remotely exploitable via a session or by local interaction. The issue resided in the print clipboard format & cache transmit via remote session. Affected systems were Windows XP, Windows 7, Windows 8 and Windows 10. Keep in mind that the vulnerability was addressed and patched in Skype v7.37.
As for the current DLL hijacking flaw, until Microsoft is done working on the brand new version of Skype that will replace the currently vulnerable one, users should be extra cautious with their online activities. It’s highly advisable to employ an anti-malware program to guard the system against malware attacks.
SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: