[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM
- From: "Stefan Kanthak" <stefan.kanthak AT nexgo.de>
- Subject: Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM
- Date: Wed, 21 Feb 2018 19:07:33 +0100
- Arc-authentication-results: i=1; mx.google.com; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 184.108.40.206 as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:list-subscribe :list-help:list-post:list-unsubscribe:list-id:precedence:subject :mime-version:organization:date:references:to:from:message-id :delivered-to:arc-authentication-results; bh=43bB4G9YrB2p/UUNFC7uzETj149IYhxuZkxj/x77RCo=; b=XgwSXK5xO5nd65ly50Fd1tJfUnuk/z1ylGpAUivXZ+qXta4dQ3cyOp2oFegGcKd5f9 cHnsyL7POvDZ/5D11JahwREiI894uvHFXpsaud+FcNZo+FYsJRaT1FjzQ/aKXKsgoYJT +ojVrvlBMyKmtjIrIoigwS7SpEEJUp2W270/DI5xDLqMKOMpKpOp2fKOcXfHjowEIGBl SXwGjlYDcahy5BfaQpvo+1taEHfChkrP3gZLGXKwyvCIx1Q8bjipVHVhETTD3M8D2wdV fvlYdH/OxgmhTO0HTltdiIDhjvjpJISpp1sFQ9mU+HChndfR4tTXcGQ3vKcIe+gJ3c53 gFgg==
- Arc-seal: i=1; a=rsa-sha256; t=1519756099; cv=none; d=google.com; s=arc-20160816; b=BwESK89OIagGAzlLJBrhHc2jx14Rcx07JRSM9WbUsxkL/6TqbL/E/4EJdHZup37TZg x4tp1DmUL5ySyJEL0aB7VQtpJTeNoBWemFDlhQhzd5jMUjAMB6xfAB1oIt2ParKWpjWW iL0hwk4z1js6U/So5Lcc7yK8X8cSobF9hz/r4dQjL+W/zxVYFsJcEvOeUdzyVMUmY97a ssWkjNc+XMwXVtoF9FoMrZtzuUQSdBfEt1AQ6pIUAzzMKHjI+mAUAXArsPbwirgbnK75 WZBNeHG16wh7msWWUKhKd7b14uKBknvyJACTf8BIOGUx+/ZCbddwK0TcZt/gehT9dm75 N46A==
- Cc: Full Disclosure List <fulldisclosure AT seclists.org>, BugTraq <bugtraq AT securityfocus.com>
- Organization: Me, myself & IT
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: "Kevin Beaumont" <kevin.beaumont AT gmail.com>
"Kevin Beaumont" <kevin.beaumont AT gmail.com> wrote:
>I did a fresh install of Win7 Home yesterday and can confirm impacted Skype
> version was offered by Windows Update for install.
Thanks for the confirmation.
See <https://skanthak.homepage.t-online.de/skype.html> for my writeup of
Skype's and Microsoft's epic failures in this case, including my reply
to the false statements of Microsoft's Ellen Kilbourne.
> On Tue, 20 Feb 2018 at 18:31, Stefan Kanthak <stefan.kanthak AT nexgo.de>
>> "Jeffrey Walton" <noloader AT gmail.com> wrote:
>> > On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kanthak AT nexgo.de>
>> [ http://seclists.org/fulldisclosure/2018/Feb/33 ]
>> > Not sure if this is related, but:
>> This is of course related: after Zack Whittacker published
>> some hundred news outlets, bloggers etc. followed up.
>> Except Zack Whittacker nobody contacted me.
>> Many copied his article, some others added their own and wrong
>> interpretation, even pure fiction, like this "WinBuzz":
>> | Microsoft today squashed a bug that was found in Skype's updater
>> | process earlier this week.
>> Wrong. I reported the vulnerability 5 months ago.
>> And Microsoft WONTFIX this vulnerability in Skype 7.x
>> JFTR: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5720>
>> also WONTFIX
>> [ pure speculation removed ]
>> | It seems Microsoft found an alternative to rewriting code and fixing
>> | Skype. the company has decided to effectively kill off the classic
>> | app. The older version of Skype is no longer available anywhere as a
>> | download.
>> Microsoft Update still offers the "classic" Skype for Windows alias
>> Skype Desktop Client: on Windows 7 (which still has the largest
>> market share) open Windows' control panel, go to Windows Update,
>> switch to Microsoft Update (if not done before), and find KB2876229
>> "Skype for Windows (220.127.116.11)" beyond the optional updates.
>> For those who don't want to or can not start Microsoft Update:
>> the Microsoft Update Catalog offers this and two older versions too
>> In <https://support.microsoft.com/en-us/kb/2876229> Microsoft states:
>> | Skype releases new versions of Skype for Windows throughout the year.
>> | To help you stay current with new functionality| and features of the
>> | Skype experience, Skype is available through Microsoft Update.
>> | you will receive the latest version of Skype through Microsoft Update.
>> NO, you DON'T get the latest version of Skype there!
>> And Skype doesn't use Microsoft Update to deliver updates.
>> Microsoft had well over 100 days since they closed MSRC case 40550 to
>> fix this ...
>> stay tuned
>> Stefan Kanthak
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/