[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM
- From: "Stefan Kanthak" <stefan.kanthak AT nexgo.de>
- Subject: Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM
- Date: Thu, 15 Feb 2018 22:24:58 +0100
- Arc-authentication-results: i=1; mx.google.com; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 18.104.22.168 as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:list-subscribe :list-help:list-post:list-unsubscribe:list-id:precedence:subject :mime-version:organization:date:references:to:from:message-id :delivered-to:arc-authentication-results; bh=iDUnSSdLrsAS9MepLwG99IKO/oYfm04ZnvdBOFUzOfU=; b=FCN1RnP8txbW88VqWTsJChS4E96zxkFYyrX7UXq0/C0Zrib8gzMlUWEsT8U5PEIige p++md/2LCsBsg34xZIWfspCvmjHkomHQ4SdnmeWAJ2uRu17dsNzEHTu+lZl1eZg6hD9i MzHljgCEqOgRnm7zijEnfzBuajWdyZJqShDprbAP2o1qgCjem5LjWxRxLUfNCiAsn3A0 +1XignrXDYwtBHsYWQzxo4fI2vyqnNLpvDC86kNtRyFs6I2fSRUSjr4Xwxa0WahBBNBP NrqnHD/J5cSf/5qZJWYHRckSwbZr0Bg3u5rPKz8m3OBvh8sBF+aE47TIg2o6ilApAp3g ZKkw==
- Arc-seal: i=1; a=rsa-sha256; t=1519151544; cv=none; d=google.com; s=arc-20160816; b=AIzms2mB4zyOatNIeUeRBxZZcvyU7fQoF74nFThEf2B6FbyQSvBdI1alygYXaSgxY+ 8i0w+EUpZDSS04tz1cLMiwY/gZ9Ufx3njla6N3RgG9vzopXYLojJXc5m8JRaZ1hQ9Fl6 YlObO1r8Gg/aLbQ0fobgL0CDJm4VU/reY7CA+08q1ylpmV7OCA3tqjLdrDSzL+/YzdiW VnmMjJeyK4W32hMq9C5SRuXPXdHOrtwJXDV4TXDjKI1QfneIvmBJOlbvszBMp6i/oKHj RHaY/cTON6UnVCRXeRRQWDLV26O94xVLdD0cXBYP4mn3hjpiA4s62C4MRGuurV9tw466 SvKA==
- Cc: Full Disclosure List <fulldisclosure AT seclists.org>, BugTraq <bugtraq AT securityfocus.com>
- Organization: Me, myself & IT
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: <noloader AT gmail.com>
"Jeffrey Walton" <noloader AT gmail.com> wrote:
> On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kanthak AT nexgo.de> wrote:
[ http://seclists.org/fulldisclosure/2018/Feb/33 ]
> Not sure if this is related, but:
This is of course related: after Zack Whittacker published
some hundred news outlets, bloggers etc. followed up.
Except Zack Whittacker nobody contacted me.
Many copied his article, some others added their own and wrong
interpretation, even pure fiction, like this "WinBuzz":
| Microsoft today squashed a bug that was found in Skype's updater
| process earlier this week.
Wrong. I reported the vulnerability 5 months ago.
And Microsoft WONTFIX this vulnerability in Skype 7.x
[ pure speculation removed ]
| It seems Microsoft found an alternative to rewriting code and fixing
| Skype. the company has decided to effectively kill off the classic
| app. The older version of Skype is no longer available anywhere as a
Microsoft Update still offers the "classic" Skype for Windows alias
Skype Desktop Client: on Windows 7 (which still has the largest
market share) open Windows' control panel, go to Windows Update,
switch to Microsoft Update (if not done before), and find KB2876229
"Skype for Windows (22.214.171.124)" beyond the optional updates.
For those who don't want to or can not start Microsoft Update:
the Microsoft Update Catalog offers this and two older versions too
In <https://support.microsoft.com/en-us/kb/2876229> Microsoft states:
| Skype releases new versions of Skype for Windows throughout the year.
| To help you stay current with new functionality| and features of the
| Skype experience, Skype is available through Microsoft Update.
| you will receive the latest version of Skype through Microsoft Update.
NO, you DON'T get the latest version of Skype there!
And Skype doesn't use Microsoft Update to deliver updates.
Microsoft had well over 100 days since they closed MSRC case 40550 to
fix this ...
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/