Microsoft faced a bad time when the potential threat linked to Spectre and Meltdown affected almost all major chip makers including Intel, AMD and ARM was revealed. Microsoft also issued an update to deal with the issue but it also went down. The update wrecked some AMD-powered PCs and now the software giant is looking forward to resolving another major security issue with Skype for Windows. However, the software needs more time to solve the issue.
A security researcher Stefan Kanthak recently discovered a bug that may cause Skype updates to load malicious code in the library instead of putting the right code. The hacker only needs to put a fake DLL into a user-accessible temporary folder. The name of the existing DLL that can be modified by anyone without them even asking for system access. Microsoft has also confirmed that Skype is facing a security flaw that can lead attackers to the system-level access.
Microsoft cannot fix the issue immediately since that would require a complete code revamping. The bug is linked to the skype update function which can be changed to trick the application to give permission by inserting the incorrect code. According to Kanthak, “They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update.”
It seems like Microsoft will not be issuing a security update anytime soon instead Skype will be going under a major revision later in which the bug will be fixed. According to the official statement given bt the company, “We have a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our Update Tuesday schedule.” The security flaw is only limited to the full Skype program on the desktop and users of the Universal Windows Platform (UWP) are not facing any issues.