Ah well, at least it isn’t likely to bork your system… Hello? Hello?
MICROSOFT HAS said that it won’t be rushing to fix a vulnerability in its car sick messenger app Skype because it’s too much like hard work.
The bug in the automatic updater (turd polisher) for the Windows desktop app has a ruddy great hole in it that will let dodgy DLLs through.
The result, if exploited would mean that an ordinary user account would get all the privileges of a SYSTEM user.
If there’s a reason why you’ve never made anyone a SYSTEM user, it’s because you can’t, you shouldn’t, and heaven help you if you do. It’s like a hidden Administrator account, but with even more access that only Windows should have for itself, such is the mayhem you can do with it.
Stefan Kanthak, who discovered the flaw, gave full disclosure after receiving this response from his contact at Skype: “They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update.
“The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client.”
Long story short – there’s so much code that would need to be rewritten that it isn’t worth it to Microsoft to shore-up this version. What’s not quite clear is whether this affects the grotesque UWP version of Skype or just the old desktop version.
Either is bad – if the UWP then facepalms at dawn because Windows 10 continually nags users to switch to it.
If the old desktop one, that’s far worse because it means that Microsoft sees it as approaching EOL when its replacement is… well, just awful (we’ve gone back to the non-UWP version).
What is becoming apparent though is that although the problem has been isolated on Windows, there’s every chance that Mac and Linux updaters could well have exactly the same fault. µ
Source : Inquirer