[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4E7EF569764144A9ACC2AF2459E67427@W340>
Date: Wed, 21 Feb 2018 19:07:33 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: "Kevin Beaumont" <kevin.beaumont@...il.com>
Cc: Full Disclosure List <fulldisclosure@...lists.org>,
BugTraq <bugtraq@...urityfocus.com>
Subject: Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's
home-grown updater allows escalation of privilege to SYSTEM
"Kevin Beaumont" <kevin.beaumont@...il.com> wrote:
>I did a fresh install of Win7 Home yesterday and can confirm impacted Skype
> version was offered by Windows Update for install.
Thanks for the confirmation.
See <https://skanthak.homepage.t-online.de/skype.html> for my writeup of
Skype's and Microsoft's epic failures in this case, including my reply
to the false statements of Microsoft's Ellen Kilbourne.
Stefan
> On Tue, 20 Feb 2018 at 18:31, Stefan Kanthak <stefan.kanthak@...go.de>
> wrote:
>
>> "Jeffrey Walton" <noloader@...il.com> wrote:
>>
>> > On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kanthak@...go.de>
>> wrote:
>>
>> [ http://seclists.org/fulldisclosure/2018/Feb/33 ]
>>
>> > Not sure if this is related, but:
>> >
>> https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/
>>
>> This is of course related: after Zack Whittacker published
>> <
>> https://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/
>> >
>> some hundred news outlets, bloggers etc. followed up.
>> Except Zack Whittacker nobody contacted me.
>> Many copied his article, some others added their own and wrong
>> interpretation, even pure fiction, like this "WinBuzz":
>>
>> | Microsoft today squashed a bug that was found in Skype's updater
>> | process earlier this week.
>>
>> Wrong. I reported the vulnerability 5 months ago.
>> And Microsoft WONTFIX this vulnerability in Skype 7.x
>>
>> JFTR: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5720>
>> also WONTFIX
>>
>> [ pure speculation removed ]
>>
>> | It seems Microsoft found an alternative to rewriting code and fixing
>> | Skype. the company has decided to effectively kill off the classic
>> | app. The older version of Skype is no longer available anywhere as a
>> | download.
>>
>> Really?
>>
>> Microsoft Update still offers the "classic" Skype for Windows alias
>> Skype Desktop Client: on Windows 7 (which still has the largest
>> market share) open Windows' control panel, go to Windows Update,
>> switch to Microsoft Update (if not done before), and find KB2876229
>> "Skype for Windows (7.30.0.101)" beyond the optional updates.
>>
>> For those who don't want to or can not start Microsoft Update:
>> the Microsoft Update Catalog offers this and two older versions too
>> <https://www.catalog.update.microsoft.com/search.aspx?q=kb2876229>
>>
>>
>> In <https://support.microsoft.com/en-us/kb/2876229> Microsoft states:
>>
>> | Skype releases new versions of Skype for Windows throughout the year.
>> | To help you stay current with new functionality| and features of the
>> | Skype experience, Skype is available through Microsoft Update.
>> ...
>> | you will receive the latest version of Skype through Microsoft Update.
>>
>> NO, you DON'T get the latest version of Skype there!
>> And Skype doesn't use Microsoft Update to deliver updates.
>> Microsoft had well over 100 days since they closed MSRC case 40550 to
>> fix this ...
>>
>>
>> stay tuned
>> Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists