Serious Security flaw has been fixed in Skype
If you’ve caught wind of the supposed Skype security flaw suddenly causing panic across the Infosec stratosphere, calm your fears. Microsoft fixed it months ago. The only question now is did you apply the patch?!Tweet
You may have become aware, over the last few weeks, of some rising panic over a purportedly unfixable security flaw in Skype. But before you fret, and scramble to ascertain the dangers presented to you by this flaw, take heart: Microsoft located, solved and patched the issue way back in October 2017. The recent misguided warnings spreading over the internet are down to a German researcher called Stefan Kanthak. He was under the mistaken impression that Microsoft had failed to execute the large code revision required to patch the bug that he’d reported in September, and felt it necessary to disclose the flaw publicly to warn everyone. It was suggested, in the ensuing hysteria, that Microsoft had a major, ongoing security problem on it’s hands, that millions of Skype users were exposed and at risk, and that it would be very hard, very costly and very slow to fix. The thing is however, that Stefan Kanthak was wrong.
To wrap it up neatly and allay any fears, here’s the rundown:
- The vulnerability appears in Skype for Windows version 7.40 or lower. If you’re still running version 7, update to version 8, which was released in October 2017 without the flaw. You’ll then be safe.
- The security error allowed malware running on a Windows PC to exploit Skype’s update process to gain control over the user’s computer with DLL hijacking. The hacker would then be able to access full system-level privileges.
- Microsoft addressed and patched the coding mess up that allowed this, back in October, when they rolled out Version 8. So happily, the vulnerability is avoided simply by updating Skype, and anyone already running the latest version has been protected for the last few months. There has been absolutely no suggestion of any malware infiltrating the updated version.
Skype program manager Ellen Kilbourne explained in a post on a support forum:
“There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower. The issue was in the program that installs the Skype software – the issue was not in the Skype software itself. Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website skype.com.”
So there you have it. This alleged crisis isn’t actually a crisis, it’s already been successfully averted, update to Skype version 8 if for some reason you haven’t already, and stop worrying. Microsoft dealt with this ages ago. Now just make sure you apply the patch!