17 February 2018
Media reported on a new vulnerability in the Skype updater service this week. Due to ZDNET (1), Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique.
Kanthak describes in his post (2) on SECLIST.org how the attack works:
“An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in %SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM account.”
Escalation of privilege to the SYSTEM account sounds dangerous. Why should Microsoft not care on this vulnerability?
From my point of view, Microsoft does not care, because this vulnerability is easy to mitigate. Let us look at the access vectors.
Access Vector: Local
An unprivileged local user is not able to place something in %SystemRoot%\Temp. I checked this on Windows 7 Enterprise Edition and Windows 10 Pro. In either case I got the error message “You don’t currently have permissions to access this folder.”
And in either case User Account Control prompts for the password of an administrator’s account to change the settings.
With this, the local version works only if the user works permanently with administrative privileges.
Access Vector: Network
ZDNET (1) reports that the vulnerability is remotely exploitable:
“The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.”
That sounds strange. From the discussion above we know that under normal conditions access to %SystemRoot%\Temp\ is limited to members of the administrators group. To access this folder remotely an attacker needs access to e.g. the \\systemname\c$ share. For this, either a local administrative account or a network account which is member of the local administrators group is required. In either case this mean that your network is already compromised.
Conclusion: In a Windows network with basic standard of cyber hygiene the likelihood is low that this vulnerability is easy exploitable.
But the most important reason for Microsoft not caring of this is that an updated version of Skype exists where the bug is fixed. (3)
To say it with Shakespeare: Much ado about Nothing.
Have a good weekend.
1. Whittaker Z. Skype can’t fix a nasty security bug without a massive code rewrite [Internet]. ZDNet. 2018 [cited 2018 Feb 17]. Available from: http://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/
2. Kanthak S. Full Disclosure: Defense in depth — the Microsoft way (part 51): Skype’s home-grown updater allows escalation of privilege to SYSTEM [Internet]. 2018 [cited 2018 Feb 17]. Available from: http://seclists.org/fulldisclosure/2018/Feb/33
3. Kilbourne E. Update on Skype for Windows desktop installer – version 7.40 and lower [Internet]. Microsoft Skype Forum. 2018 [cited 2018 Feb 17]. Available from: https://answers.microsoft.com/en-us/skype/forum/skype_newsms/update-on-installer-for-skype-for-windows-desktop/242f1415-1399-42e1-a6a2-cd535c8b7ff8?tm=1518635969608&auth=1