| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Feb 2018 11:55:39 +0000 From: Kevin Beaumont <kevin.beaumont@...il.com> To: Stefan Kanthak <stefan.kanthak@...go.de> Cc: Full Disclosure List <fulldisclosure@...lists.org>, BugTraq <bugtraq@...urityfocus.com> Subject: Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM I did a fresh install of Win7 Home yesterday and can confirm impacted Skype version was offered by Windows Update for install. Kev On Tue, 20 Feb 2018 at 18:31, Stefan Kanthak <stefan.kanthak@...go.de> wrote: > "Jeffrey Walton" <noloader@...il.com> wrote: > > > On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kanthak@...go.de> > wrote: > > [ http://seclists.org/fulldisclosure/2018/Feb/33 ] > > > Not sure if this is related, but: > > > https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/ > > This is of course related: after Zack Whittacker published > < > https://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/ > > > some hundred news outlets, bloggers etc. followed up. > Except Zack Whittacker nobody contacted me. > Many copied his article, some others added their own and wrong > interpretation, even pure fiction, like this "WinBuzz": > > | Microsoft today squashed a bug that was found in Skype's updater > | process earlier this week. > > Wrong. I reported the vulnerability 5 months ago. > And Microsoft WONTFIX this vulnerability in Skype 7.x > > JFTR: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5720> > also WONTFIX > > [ pure speculation removed ] > > | It seems Microsoft found an alternative to rewriting code and fixing > | Skype. the company has decided to effectively kill off the classic > | app. The older version of Skype is no longer available anywhere as a > | download. > > Really? > > Microsoft Update still offers the "classic" Skype for Windows alias > Skype Desktop Client: on Windows 7 (which still has the largest > market share) open Windows' control panel, go to Windows Update, > switch to Microsoft Update (if not done before), and find KB2876229 > "Skype for Windows (7.30.0.101)" beyond the optional updates. > > For those who don't want to or can not start Microsoft Update: > the Microsoft Update Catalog offers this and two older versions too > <https://www.catalog.update.microsoft.com/search.aspx?q=kb2876229> > > > In <https://support.microsoft.com/en-us/kb/2876229> Microsoft states: > > | Skype releases new versions of Skype for Windows throughout the year. > | To help you stay current with new functionality| and features of the > | Skype experience, Skype is available through Microsoft Update. > ... > | you will receive the latest version of Skype through Microsoft Update. > > NO, you DON'T get the latest version of Skype there! > And Skype doesn't use Microsoft Update to deliver updates. > Microsoft had well over 100 days since they closed MSRC case 40550 to > fix this ... > > > stay tuned > Stefan Kanthak > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists