Redmond, you’ve got a problem!
In 2012, Microsoft started to distribute Skype for Windows® Desktop to users of Windows XP, Windows Vista and Windows 7, first through Windows Update as optional update 2692954 and 2727727, then through Microsoft Update as optional update 2876229, and made the latter available in the Microsoft Update Catalog.
Note: Microsoft’s designation
of the initial installer as
update is an euphemism!
skypesetupfull(126.96.36.199).exe, the version available through Microsoft Update and the latest version available in the Microsoft Update Catalog, is susceptible to
DLL preloading, a well-known and well-documented vulnerability.
The CVE® lists the vulnerability as CVE-2016-5720, the CWE™ lists the weaknesses as CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element, the CAPEC™ lists the attack as CAPEC-471: DLL Search Order Hijacking.
The vulnerable executable installer loads at least the following
application directory instead from
Additionally it loads
MZP.dll from the
DLL search path.
On Windows Vista and newer versions of
Windows NT, due to its embedded
the executable installer requests administrative privileges: all
DLLs it loads are
therefore executed with administrative privileges too. An attacker
who places any of these
DLLs in the
directory where the executable is stored, typically the users
gains escalation of privilege.
Microsoft published advisories and guidance to avoid
this beginner’s error, for example
Dynamic-Link Library Security,
Insecure Library Loading Could Allow Remote Code Execution,
Secure loading of libraries to prevent DLL preloading attacks
Load Library Safely,
which their own developers and their
quality assurance but
skypesetupfull(188.8.131.52).exeis vulnerable too.
The CWE™ lists its additional weaknesses as CWE-377: Insecure Temporary File and CWE-379: Creation of Temporary File in Directory with Incorrect Permissions.
Once installed, Skype uses its own proprietary update
mechanism instead of Microsoft Update: the program
%ProgramFiles%\Skype\Updater\Updater.exe is run
periodically under the
NT AUTHORITY\SYSTEM account, with the
%TMP% set to
When an update is available,
%ProgramFiles%\Skype\Updater\Updater.exe copies or
extracts another executable as
executes it using the command line
"%SystemRoot%\Temp\SKY‹abcd›.tmp" /QUIETThis executable is vulnerable to
DLL hijackingtoo: it loads at least
%SystemRoot%\Temp\instead from Windows’
%SystemRoot%\Temp\is writable for unprivileged (local) users: its NTFS ACL entries
(A;OICIIO;FA;;;CO)grant members of the
BUILTIN\Usersgroup the right to create files and subdirectories, plus full access to their own creations.
UXTheme.dllor any of the other DLLs loaded by the vulnerable executable
%SystemRoot%\Temp\gains escalation of privilege to the
Skype releases new versions of Skype for Windows throughout the year. To help you stay current with new functionality and features of the Skype experience, Skype is available through Microsoft Update.Correct is: the version 184.108.40.206 offered through Microsoft Update was digitally signed on 2015-03-25 at 14:39:33 UTC, it was published on 2015-04-24 at 11:29:26 UTC, it was superceded, it is outdated, it is vulnerable, and Microsoft doesn’t fix it!
The MSKB article Skype for Microsoft Update tells a second lie:
To make it simple and fast for Skype users to upgrade to the latest version of Skype for Windows, we have integrated Skype into Microsoft Update. If you have Skype installed on your PC already, either directly from www.skype.com or through a preinstalled version on your PC, you will receive the latest version of Skype through Microsoft Update.Correct is: Skype for Windows Desktop is not updated through Microsoft Update, but by a home-grown and vulnerable updater installed with the client, and the versions available through Microsoft Update or in the Microsoft Update Catalog do not receive the latest version of Skype for Windows Desktop!
At Skype, we take security very seriously.No, you don’t!
Additionally, Skype would not
implement and use an executable installer, but a
Microsoft Installer package
Skype-‹version›.msi, and it would
not implement and use a proprietary updater, but
To discard these basic services offered by the Windows platform is a severe design bug, and to implement a vulnerable proprietary installer and updater instead is an epic failure!
There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower. The issue was in the program that installs the Skype software – the issue was not in the Skype software itself. Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website skype.com.This
skypesetupfull(220.127.116.11).exeis still available through Microsoft Update!
issueis yet another euphemism!
The installer for the current version of Skype for Windows desktop (v8) does NOT have this issue, and it has been available since October, 2017.Yet another lie!
https://go.skype.com/windows.desktop.download, still allow escalation of privilege, just in a slightly different way!
are vulnerable and have the problem 2 described above, on
Windows XP SP3 alias
Windows Embedded POSReady 2009 additionally the
are vulnerable and have the problems 1 and 2 described above.
The classifications CVE-2016-5720, CWE-377, CWE-379, CWE-426, CWE-427 and CAPEC-471 still apply.
X:\> FILEVER.EXE /V Skype-18.104.22.168.exe --a-- W32i APP ENU 22.214.171.124 shp 60,252,800 03-06-2018 skype-126.96.36.199.exe Language 0x0409 (Englisch (USA)) CharSet 0x04e4 Windows, Multilingual OleSelfRegister Disabled CompanyName Skype Technologies S.A. FileDescription Skype Setup ProductName Skype ProductVersion 8.17 FileVersion 188.8.131.52 LegalCopyright (c) 2018 Skype and/or Microsoft Comments This installation was built with Inno Setup. …
Users of these versions of Windows NT but can’t
validate the authenticity and integrity of the executable
misses the SHA-1
signature mandatory for these operating systems.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. X:\> SIGNTOOL.EXE Verify /V Skype-184.108.40.206.exe Verifying: Skype-220.127.116.11.exe SHA1 hash of file: 754083C3B6738B8AAFAC3C9764CE58610AEFA485 SignTool Error: WinVerifyTrust returned error: 0x80096010 The digital signature of the object did not verify. Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2011 Issued by: Microsoft Root Certificate Authority 2011 Expires: 22.03.2036 23:13:04 SHA1 hash: 8F43288AD272F3103B6FB1428485EA3014C0BCFE Issued to: Microsoft Code Signing PCA 2011 Issued by: Microsoft Root Certificate Authority 2011 Expires: 08.07.2026 22:09:09 SHA1 hash: F252E794FE438E35ACE6E53762C0A234A2C52135 Issued to: Skype Software Sarl Issued by: Microsoft Code Signing PCA 2011 Expires: 25.07.2018 21:34:25 SHA1 hash: 402043FE8A3DF902377AFA66EB79E769A27487BD File is not timestamped. SignTool Error: File not valid: Skype-18.104.22.168.exe Number of files successfully Verified: 0 Number of warnings: 0 Number of errors: 1 X:\>Note: it also misses a counter signature alias timestamp!
Use the X.509 certificate to send S/MIME encrypted mail.
Notes: I dislike
even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.