Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Skype – or Redmond, you’ve got a problem!

In May 2011, Microsoft® bought Skype.

In 2012, Microsoft started to distribute Skype for Windows® Desktop to users of Windows XP, Windows Vista and Windows 7, first through Windows Update as optional update 2692954 and 2727727, then through Microsoft Update as optional update 2876229, and made the latter available in the Microsoft Update Catalog.

Note: Microsoft’s designation of the initial installer as update is an euphemism!

Problem 1

Their home-grown executable installer skypesetupfull(, the version available through Microsoft Update and the latest version available in the Microsoft Update Catalog, is susceptible to DLL spoofing alias DLL hijacking or DLL preloading, a well-known and well-documented vulnerability.

The CVE® lists the vulnerability as CVE-2016-5720, the CWE lists the weaknesses as CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element, the CAPEC lists the attack as CAPEC-471: DLL Search Order Hijacking.

The vulnerable executable installer loads at least the following DLLs from its application directory instead from Windows’ system directory %SystemRoot%\System32\: MSImg32.dll, OLEAcc.dll, RichEd20.dll, DWMAPI.dll or UXTheme.dll ClbCatQ.dll and COMRes.dll.
Additionally it loads MZP.dll from the DLL search path.

On Windows Vista and newer versions of Windows NT, due to its embedded application manifest the executable installer requests administrative privileges: all DLLs it loads are therefore executed with administrative privileges too. An attacker who places any of these DLLs in the directory where the executable is stored, typically the users Downloads directory %USERPROFILE%\Downloads\, gains escalation of privilege.

Microsoft published advisories and guidance to avoid this beginner’s error, for example Dynamic-Link Library Security, Insecure Library Loading Could Allow Remote Code Execution, Secure loading of libraries to prevent DLL preloading attacks and Load Library Safely, which their own developers and their quality assurance but obviously ignore!

Problem 2

The home-grown updater installed with skypesetupfull( is vulnerable too.

The CWE lists its additional weaknesses as CWE-377: Insecure Temporary File and CWE-379: Creation of Temporary File in Directory with Incorrect Permissions.

Once installed, Skype uses its own proprietary update mechanism instead of Microsoft Update: the program %ProgramFiles%\Skype\Updater\Updater.exe is run periodically under the LocalSystem alias NT AUTHORITY\SYSTEM account, with the environment variables %TEMP% and %TMP% set to %SystemRoot%\Temp.
When an update is available, %ProgramFiles%\Skype\Updater\Updater.exe copies or extracts another executable as %SystemRoot%\Temp\SKY‹abcd›.tmp and executes it using the command line

"%SystemRoot%\Temp\SKY‹abcd›.tmp" /QUIET
This executable is vulnerable to DLL hijacking too: it loads at least DWMAPI.dll or UXTheme.dll from its application directory %SystemRoot%\Temp\ instead from Windows’ system directory %SystemRoot%\System32\.
The directory %SystemRoot%\Temp\ is writable for unprivileged (local) users: its NTFS ACL entries (A;CI;0x00100026;;;BU) (A;OICIIO;FA;;;CO) grant members of the BUILTIN\Users group the right to create files and subdirectories, plus full access to their own creations.
An unprivileged user who places a rogue DWMAPI.dll, UXTheme.dll or any of the other DLLs loaded by the vulnerable executable %SystemRoot%\Temp\SKY‹abcd›.tmp in %SystemRoot%\Temp\ gains escalation of privilege to the LocalSystem account.

Problem 3

Version updates to version 7.40, which has the problems of version too, and does not upgrade to any newer version, neither through its vulnerable updater nor through Microsoft Update!

Problem 4

The MSKB article Skype for Microsoft Update tells a lie:
Skype releases new versions of Skype for Windows throughout the year. To help you stay current with new functionality and features of the Skype experience, Skype is available through Microsoft Update.
Correct is: the version offered through Microsoft Update was digitally signed on 2015-03-25 at 14:39:33 UTC, it was published on 2015-04-24 at 11:29:26 UTC, it was superceded, it is outdated, it is vulnerable, and Microsoft doesn’t fix it!

The MSKB article Skype for Microsoft Update tells a second lie:

To make it simple and fast for Skype users to upgrade to the latest version of Skype for Windows, we have integrated Skype into Microsoft Update. If you have Skype installed on your PC already, either directly from or through a preinstalled version on your PC, you will receive the latest version of Skype through Microsoft Update.
Correct is: Skype for Windows Desktop is not updated through Microsoft Update, but by a home-grown and vulnerable updater installed with the client, and the versions available through Microsoft Update or in the Microsoft Update Catalog do not receive the latest version of Skype for Windows Desktop!

Problem 5

On February 14, Microsoft published their Update on Skype for Windows desktop installer – version 7.40 and lower, which is but wrong and misleading:
At Skype, we take security very seriously.
No, you don’t!
If Skype or Microsoft were really concerned about their users’ security, they would at least have published an advisory about 100 days ago to inform their customers, and would have removed version 7.40 and lower back then, everywhere!

Additionally, Skype would not implement and use an executable installer, but a Microsoft Installer package Skype-‹version›.msi, and it would not implement and use a proprietary updater, but Microsoft Update.
To discard these basic services offered by the Windows platform is a severe design bug, and to implement a vulnerable proprietary installer and updater instead is an epic failure!

There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower. The issue was in the program that installs the Skype software – the issue was not in the Skype software itself. Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website
This issue still persists: Note: Microsoft’s designation of this nasty vulnerability as issue is yet another euphemism!
The installer for the current version of Skype for Windows desktop (v8) does NOT have this issue, and it has been available since October, 2017.
Yet another lie!
All installers of version 8, first released October 30, 2017, available via, still allow escalation of privilege, just in a slightly different way!

The installers Skype-, Skype-, Skype-, Skype-, Skype-, Skype-, Skype- and Skype- are vulnerable and have the problem 2 described above, on Windows XP SP3 alias Windows Embedded POSReady 2009 additionally the problem 1.
The installers Skype-, Skype- and Skype- are vulnerable and have the problems 1 and 2 described above.
The classifications CVE-2016-5720, CWE-377, CWE-379, CWE-426, CWE-427 and CAPEC-471 still apply.

Problem 6

X:\> FILEVER.EXE /V Skype-
--a-- W32i   APP ENU shp 60,252,800 03-06-2018 skype-
	Language	0x0409 (Englisch (USA))
	CharSet		0x04e4 Windows, Multilingual
	OleSelfRegister	Disabled
	CompanyName	Skype Technologies S.A.
	FileDescription	Skype Setup
	ProductName	Skype
	ProductVersion	8.17
	LegalCopyright	(c) 2018 Skype and/or Microsoft
	Comments	This installation was built with Inno Setup.

Problem 7

According to Skype’s system requirements, their latest Skype for Windows Desktop supports Windows XP SP3 alias Windows Embedded POSReady 2009.

Users of these versions of Windows NT but can’t validate the authenticity and integrity of the executable installer Skype- its digital signature misses the SHA-1 signature mandatory for these operating systems.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

X:\> SIGNTOOL.EXE Verify /V Skype-

Verifying: Skype-
SHA1 hash of file: 754083C3B6738B8AAFAC3C9764CE58610AEFA485
SignTool Error: WinVerifyTrust returned error: 0x80096010
	The digital signature of the object did not verify.
Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2011
    Issued by: Microsoft Root Certificate Authority 2011
    Expires:   22.03.2036 23:13:04
    SHA1 hash: 8F43288AD272F3103B6FB1428485EA3014C0BCFE

        Issued to: Microsoft Code Signing PCA 2011
        Issued by: Microsoft Root Certificate Authority 2011
        Expires:   08.07.2026 22:09:09
        SHA1 hash: F252E794FE438E35ACE6E53762C0A234A2C52135

            Issued to: Skype Software Sarl
            Issued by: Microsoft Code Signing PCA 2011
            Expires:   25.07.2018 21:34:25
            SHA1 hash: 402043FE8A3DF902377AFA66EB79E769A27487BD

File is not timestamped.
SignTool Error: File not valid: Skype-

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Note: it also misses a counter signature alias timestamp!


If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, errors, inaccuracies, omissions, vulnerabilities or weaknesses, …:
don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Notes: I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!
Copyright © 1995–2018 • Stefan Kanthak • <‍skanthak‍@‍nexgo‍.‍de‍>