[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADxeqvCqOk5iToJhScDBp=9zmfipB1VLcZVNPHafQbqSEyWbng@mail.gmail.com>
Date: Wed, 21 Feb 2018 11:55:39 +0000
From: Kevin Beaumont <kevin.beaumont@...il.com>
To: Stefan Kanthak <stefan.kanthak@...go.de>
Cc: Full Disclosure List <fulldisclosure@...lists.org>,
BugTraq <bugtraq@...urityfocus.com>
Subject: Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's
home-grown updater allows escalation of privilege to SYSTEM
I did a fresh install of Win7 Home yesterday and can confirm impacted Skype
version was offered by Windows Update for install.
Kev
On Tue, 20 Feb 2018 at 18:31, Stefan Kanthak <stefan.kanthak@...go.de>
wrote:
> "Jeffrey Walton" <noloader@...il.com> wrote:
>
> > On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kanthak@...go.de>
> wrote:
>
> [ http://seclists.org/fulldisclosure/2018/Feb/33 ]
>
> > Not sure if this is related, but:
> >
> https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/
>
> This is of course related: after Zack Whittacker published
> <
> https://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/
> >
> some hundred news outlets, bloggers etc. followed up.
> Except Zack Whittacker nobody contacted me.
> Many copied his article, some others added their own and wrong
> interpretation, even pure fiction, like this "WinBuzz":
>
> | Microsoft today squashed a bug that was found in Skype's updater
> | process earlier this week.
>
> Wrong. I reported the vulnerability 5 months ago.
> And Microsoft WONTFIX this vulnerability in Skype 7.x
>
> JFTR: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5720>
> also WONTFIX
>
> [ pure speculation removed ]
>
> | It seems Microsoft found an alternative to rewriting code and fixing
> | Skype. the company has decided to effectively kill off the classic
> | app. The older version of Skype is no longer available anywhere as a
> | download.
>
> Really?
>
> Microsoft Update still offers the "classic" Skype for Windows alias
> Skype Desktop Client: on Windows 7 (which still has the largest
> market share) open Windows' control panel, go to Windows Update,
> switch to Microsoft Update (if not done before), and find KB2876229
> "Skype for Windows (7.30.0.101)" beyond the optional updates.
>
> For those who don't want to or can not start Microsoft Update:
> the Microsoft Update Catalog offers this and two older versions too
> <https://www.catalog.update.microsoft.com/search.aspx?q=kb2876229>
>
>
> In <https://support.microsoft.com/en-us/kb/2876229> Microsoft states:
>
> | Skype releases new versions of Skype for Windows throughout the year.
> | To help you stay current with new functionality| and features of the
> | Skype experience, Skype is available through Microsoft Update.
> ...
> | you will receive the latest version of Skype through Microsoft Update.
>
> NO, you DON'T get the latest version of Skype there!
> And Skype doesn't use Microsoft Update to deliver updates.
> Microsoft had well over 100 days since they closed MSRC case 40550 to
> fix this ...
>
>
> stay tuned
> Stefan Kanthak
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists