[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM
- From: Kevin Beaumont <kevin.beaumont AT gmail.com>
- Subject: Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM
- Date: Wed, 21 Feb 2018 11:55:39 +0000
- Arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) email@example.com header.s=20161025 header.b=E7M216Tj; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 2600:3c01::f03c:91ff:fe98:ff4e as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:list-subscribe :list-help:list-post:list-unsubscribe:list-id:precedence:subject:to :message-id:date:from:in-reply-to:references:mime-version :dkim-signature:delivered-to:arc-authentication-results; bh=hnwMO2XBPqt+Do7LUifuA9BLt5iMcNI9jfxy9G6AgTI=; b=k3lH0fTnK5xnNvYWozF66kcjG96yBhQf3T2FrKY1oVN1T8DRh/aMtBMohr5gGEEXRD uw02ZTUMUxfmIsYqxMJyFl8RLtAhhq9cQRw2ydfM6Ya5IWI+h+4XXXP1U92PZmXIQ9LT iJ3rviT7we9QkYggxxm/ClxND2GnSid2bbS+icHiEVPgKmppEfoJpBwpk3Rfjg2Ui0Bf MLxFRgMFWtmaH/gAg8098FId/Z2YucanAaMuZURqeLqMqRqQ+CXRCxNFkurvxhPcp1yo pbq3QYzQYq6/2IST/rrljjCxOdru9OsTsQ3kudEX8OTHy4xYkH9DLT93YYw6U/FFaVSM XEqA==
- Arc-seal: i=1; a=rsa-sha256; t=1519580553; cv=none; d=google.com; s=arc-20160816; b=F6ZmK+7Xe/KZgQ+RYSbzx8Dj/8iEKqG3YowkNQITVvxfQ0fojjvwAjXFCDGNSLXvBU C5N+LVYLqhw8QlkO8p/bdAiLUNn6Bfs/+BcDNGDTPzn7xHAC3+DrnQ2zA1mNwcj4l+6U Opf57BbUqfavyKi2C/5rrpHaEtsxJkuQNGp66ywTwqLpXYl2A8IhcuV+0TSmk7+2dtL2 lEqYr19QaJMlvmNStqMRu96mucJG6SsUiz9TXVVazS5wjJdWfmR/luBsgOYgD80beqdI BW89zIvPF6y9LaF5087yGqvDKc6kDmwJVKCQA7UDbMuqq91na3X+3n8SI8qS0FWHjbeP OSMQ==
- Cc: Full Disclosure List <fulldisclosure AT seclists.org>, BugTraq <bugtraq AT securityfocus.com>
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: Stefan Kanthak <stefan.kanthak AT nexgo.de>
I did a fresh install of Win7 Home yesterday and can confirm impacted Skype
version was offered by Windows Update for install.
On Tue, 20 Feb 2018 at 18:31, Stefan Kanthak <stefan.kanthak AT nexgo.de>
> "Jeffrey Walton" <noloader AT gmail.com> wrote:
> > On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kanthak AT nexgo.de>
> [ http://seclists.org/fulldisclosure/2018/Feb/33 ]
> > Not sure if this is related, but:
> This is of course related: after Zack Whittacker published
> some hundred news outlets, bloggers etc. followed up.
> Except Zack Whittacker nobody contacted me.
> Many copied his article, some others added their own and wrong
> interpretation, even pure fiction, like this "WinBuzz":
> | Microsoft today squashed a bug that was found in Skype's updater
> | process earlier this week.
> Wrong. I reported the vulnerability 5 months ago.
> And Microsoft WONTFIX this vulnerability in Skype 7.x
> JFTR: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5720>
> also WONTFIX
> [ pure speculation removed ]
> | It seems Microsoft found an alternative to rewriting code and fixing
> | Skype. the company has decided to effectively kill off the classic
> | app. The older version of Skype is no longer available anywhere as a
> | download.
> Microsoft Update still offers the "classic" Skype for Windows alias
> Skype Desktop Client: on Windows 7 (which still has the largest
> market share) open Windows' control panel, go to Windows Update,
> switch to Microsoft Update (if not done before), and find KB2876229
> "Skype for Windows (184.108.40.206)" beyond the optional updates.
> For those who don't want to or can not start Microsoft Update:
> the Microsoft Update Catalog offers this and two older versions too
> In <https://support.microsoft.com/en-us/kb/2876229> Microsoft states:
> | Skype releases new versions of Skype for Windows throughout the year.
> | To help you stay current with new functionality| and features of the
> | Skype experience, Skype is available through Microsoft Update.
> | you will receive the latest version of Skype through Microsoft Update.
> NO, you DON'T get the latest version of Skype there!
> And Skype doesn't use Microsoft Update to deliver updates.
> Microsoft had well over 100 days since they closed MSRC case 40550 to
> fix this ...
> stay tuned
> Stefan Kanthak
> Sent through the Full Disclosure mailing list
> Web Archives & RSS: http://seclists.org/fulldisclosure/
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/