Security researcher Stefan Kantak found that attackers can use the Skype application update installer by hacking a DLL file, which allows replacing the original library with malicious code. Moreover, most importantly, Microsoft is not in a position to urgently eliminate this vulnerability.

Microsoft cannot eliminate the critical vulnerability of Skype

The detected breach allows an attacker to download a maliciously crafted .dll file into a temporary folder accessible to the user and assign it the name of an existing library that can be modified without administrator rights. After downloading to the device, Skype uses its built-in module to install updates. When it works, another file is used to run updates directly, which is just vulnerable to hacking.

According to the specialist, this method works not only on Windows but also on Linux, as well as macOS. After gaining system privileges, an attacker can do anything: steal or delete personal data, etc.

It is reported that Microsoft has been aware of this vulnerability since September last year, but it can not eliminate it, as it requires rewriting a significant part of the code. Representatives of the company said that they are working on an entirely new version of the client without this exploit.