| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Feb 2018 19:07:33 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: "Kevin Beaumont" <kevin.beaumont@...il.com> Cc: Full Disclosure List <fulldisclosure@...lists.org>, BugTraq <bugtraq@...urityfocus.com> Subject: Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM "Kevin Beaumont" <kevin.beaumont@...il.com> wrote: >I did a fresh install of Win7 Home yesterday and can confirm impacted Skype > version was offered by Windows Update for install. Thanks for the confirmation. See <https://skanthak.homepage.t-online.de/skype.html> for my writeup of Skype's and Microsoft's epic failures in this case, including my reply to the false statements of Microsoft's Ellen Kilbourne. Stefan > On Tue, 20 Feb 2018 at 18:31, Stefan Kanthak <stefan.kanthak@...go.de> > wrote: > >> "Jeffrey Walton" <noloader@...il.com> wrote: >> >> > On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kanthak@...go.de> >> wrote: >> >> [ http://seclists.org/fulldisclosure/2018/Feb/33 ] >> >> > Not sure if this is related, but: >> > >> https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/ >> >> This is of course related: after Zack Whittacker published >> < >> https://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/ >> > >> some hundred news outlets, bloggers etc. followed up. >> Except Zack Whittacker nobody contacted me. >> Many copied his article, some others added their own and wrong >> interpretation, even pure fiction, like this "WinBuzz": >> >> | Microsoft today squashed a bug that was found in Skype's updater >> | process earlier this week. >> >> Wrong. I reported the vulnerability 5 months ago. >> And Microsoft WONTFIX this vulnerability in Skype 7.x >> >> JFTR: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5720> >> also WONTFIX >> >> [ pure speculation removed ] >> >> | It seems Microsoft found an alternative to rewriting code and fixing >> | Skype. the company has decided to effectively kill off the classic >> | app. The older version of Skype is no longer available anywhere as a >> | download. >> >> Really? >> >> Microsoft Update still offers the "classic" Skype for Windows alias >> Skype Desktop Client: on Windows 7 (which still has the largest >> market share) open Windows' control panel, go to Windows Update, >> switch to Microsoft Update (if not done before), and find KB2876229 >> "Skype for Windows (7.30.0.101)" beyond the optional updates. >> >> For those who don't want to or can not start Microsoft Update: >> the Microsoft Update Catalog offers this and two older versions too >> <https://www.catalog.update.microsoft.com/search.aspx?q=kb2876229> >> >> >> In <https://support.microsoft.com/en-us/kb/2876229> Microsoft states: >> >> | Skype releases new versions of Skype for Windows throughout the year. >> | To help you stay current with new functionality| and features of the >> | Skype experience, Skype is available through Microsoft Update. >> ... >> | you will receive the latest version of Skype through Microsoft Update. >> >> NO, you DON'T get the latest version of Skype there! >> And Skype doesn't use Microsoft Update to deliver updates. >> Microsoft had well over 100 days since they closed MSRC case 40550 to >> fix this ... >> >> >> stay tuned >> Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists