Home > Cyber News > Severe DLL Hijacking Flaw in Skype Won’t Be Patched by Microsoft

Severe DLL Hijacking Flaw in Skype Won’t Be Patched by Microsoft

As of January, 2018, Skype has been used by approximately 300 million users, according to statistics by Statista. Even though Skype is not the most popular and widely used messenger, its user base still is quite big. So any news regarding a loophole in the security of Skype is troublesome, to say the least.

Such is the case with the recently discovered severe vulnerability in Skype which could allow attackers to obtain full access to the compromised host. This would happen through gaining system-level privileges to a local user with no privileges. The flaw was discovered by security researcher Stefan Kanthak who reported it to Microsoft. The flaw resides in Skype’s update installer found to be vulnerable to DLL hijacking.

The severity of the DLL hijacking vulnerability, however, is not the only issue here. Apparently, Microsoft, the owner of Skype, isn’t planning on fixing the flaw any time soon. The reason is not because the flaw can’t be patched. It’s because patching it would require the software to be entirely re-written. What does this mean? Instead of simply releasing a patch, Microsoft would have to release a brand new version of the messenger.

Related Story: Skype Accounts Hacked Easily Regardless of Microsoft’s Two-Factor Protection

More about DLL Hijacking Vulnerability

In case of such an attack, hackers would exploit the functionality of the Windows DLL loader. “Exploitation of this preferential search order can allow an attacker to make the loading process load the attackers’ rogue DLL rather than the legitimate DLL,” researchers explained. More specifically:

An attacker with access to the file system may place a malicious ntshrui.dll in the C:\Windows directory. This DLL normally resides in the System32 folder. Process explorer.exe which also resides in C:\Windows, upon trying to load the ntshrui.dll from the System32 folder will actually load the DLL supplied by the attacker simply because of the preferential search order.

Since the attacker has placed its malicious ntshrui.dll in the same directory as the loading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe is loaded during the boot cycle, the attackers’ malware is guaranteed to execute.

All of the above means that the attack leveraging the Skype DLL hijacking flaw can happen using a range of DLL files with various loading processes. The worst part is that no trails are left in both the registry and file system indicating that an incorrect DLL had been previously loaded.

In case of a successful hijacking of the update process, the attacker would download and place the maliciously crafted DLL into a temporary folder. When Skype’s update installer attempts to locate the relevant DLL, it will locate the malicious one instead, and will install the maliciously crafted code.

Even though Kanthak, the researcher who reported the flaw, tested the attack on the Windows desktop version of Skype, he believes that the same DLL hijacking technique could be used against other operating systems like Linux and macOS. It should be noted that the exploit of the flaw works on the desktop version of Skype.

Vulnerabilities in Skype Not a New Thing

In June, 2017, another severe flaw was found in Skype. The flaw was given the CVE-2017-9948 identifier and was a stack buffer overflow one in Microsoft Skype 7.2, 7.35, and 7.36 before 7.37. The flaw involved MSFTEDIT.DLL mishandling of remote RDP clipboard content within the message box, as explained by researchers. The highly severe vulnerability was disclosed on 16th of May, 2017.

Related Story: CVE-2017-9948 – Severe Skype Flaw, Patch Now to Latest Version

The vulnerability was remotely exploitable via a session or by local interaction. The issue resided in the print clipboard format & cache transmit via remote session. Affected systems were Windows XP, Windows 7, Windows 8 and Windows 10. Keep in mind that the vulnerability was addressed and patched in Skype v7.37.

As for the current DLL hijacking flaw, until Microsoft is done working on the brand new version of Skype that will replace the currently vulnerable one, users should be extra cautious with their online activities. It’s highly advisable to employ an anti-malware program to guard the system against malware attacks.


Malware Removal Tool

SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree