Hacker News new | past | comments | ask | show | jobs | submit login
Skype can't fix a nasty security bug without a massive code rewrite (zdnet.com)
181 points by nautical on Feb 13, 2018 | hide | past | web | favorite | 96 comments

From the disclosure (http://seclists.org/fulldisclosure/2018/Feb/33):

> An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in %SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM account.

On my machine at least an unprivileged user does not have access to %SystemRoot%\Temp\ so it seems to be a case of what Raymond Chen refers to as "on the other side of the airtight hatchway".

I need to test this later as I only have access to an unprivileged account at the moment, but based on comments online (https://stackoverflow.com/a/11917816), C:\Windows\Temp (%systemroot%\Temp redirects here, and is the folder Skype accesses from, is write only for unprivileged users (FILE_ADD_FILE).

Preliminary testing shows that I was able to write there with out any problem. No way for me to read it at the moment though...

Edit: As noted by another user here, yes, it is writeable. https://news.ycombinator.com/item?id=16367722

You're right. It is possible to write a file but not to list or access any other files. So it is a security bug. You could "fix" it yourself though, by using a privileged account and copy any DLLs loaded by the Skype updater into the directory.. An unprivileged user would not be able to overwrite the files.

Not sure, but based on the image in the stackoverflow link, it states that it has FILE_ADD_FILE, which translates in the GUI to “Create files / write data,” which I would assume means that overwrites are possible. Don’t trust my word on that though as I am no expert. Will try that a bit later and see what happens.

Given the name, you should assume that it specifically prevent from overwriting files.

The windows filesystem has more than a dozen specific permissions, similar to advanced acl on Linux, that allows very fine grained permissions.

This allows to have shared folders where users can do anything, except delete the directory itself or modify files created by other users.

You still can't overwrite files created by privileged users unless explicitly allowed to do so by the creator of the file. If you could, a lot more things would be broken in Windows.

I believe the default permissions for a volume grant users the ability to create folders, so they should be able to create a folder in C: called Temp and put files into it.

It’s also possible that when Skype’s updater creates the folder it has different ACLs.

> I believe the default permissions for a volume grant users the ability to create folders, so they should be able to create a folder in C: called Temp and put files into it.

That's inaccurate. UAC makes it appear like you can, if you try to do this as an unprivileged user on a default install it will fail.

Plus even if you could create C:\Temp, you'd need to add it to the system-scoped environmental variable PATH for it to be searched for libraries. If you could do that you've already effectively escalated without this.

This Skype issue exists because they're running a SYSTEM level process from a directory a normal user owns.

%SYSTEMROOT% is C:\Windows, not C:\.

I too cannot access C:\Windows\Temp at all without escalating permissions. Neither can I write to anything in C:\Windows as described in the original source without escalated permissions.

I'm a little puzzled about what would stop someone with the same permissions from doing exactly the same thing with the fully qualified name.

I need to test this later as I only have access to an unprivileged account at the moment, but based on comments online (https://stackoverflow.com/a/11917816), C:\Windows\Temp (%systemroot%\Temp redirects here, and is the folder Skype accesses from, is write only for unprivileged users (FILE_ADD_FILE).

Preliminary testing shows that I was able to write there with out any problem. No way for me to read it at the moment though...

Edit: As noted by another user here, yes, it is writeable. https://news.ycombinator.com/item?id=16367722

Oops, my mistake. Thanks for the correction.

The title isn't quite right here.

It's not that Microsoft can't fix this bug without a massive rewrite. It's that they'd rather do the massive rewrite than fix this security bug in the current client.

They could put a small amount of resources on critical fixes for the current client. It would have a small effect on the release of the new client but put them in a much better position once the new client is ready in terms of how many users they retain and how happy those users are. Overall, there's a lot of bang for the buck for this in terms of the overall health of the product.

Now, Microsoft may very well have a critical fix effort for the current client but this bug didn't make the grade as a critical bug. (I can't tell from just this article whether I would consider this a critical issue or not.)

The article mentions that this vulnerability affects Mac and Linux too. I'm curious how that's the case. DLLs, as i understand, are the Windows equivalent of shared libraries on Unix-like systems. Even if that's the case, there'd have to be subtle but important differences in the implantation details, due to the differing heritage of both systems, wouldn't there?

I've heard about DLL-injection many a time, for purposes ranging from benign (fun Counter-Strike mod) to evil (I am now NT AUTHORITY\SYSTEM, bitches). I've not heard about .so injection on Unix-like systems. Why is that? Is it because implementation details of Unix shared libraries preclude them being used in the same or a similar way, that I've just not been on the right mailing lists to hear about it, or more nobody cares to bother because everyone's on Windows?

Those of you whom are familiar with either or both systems, what material would you recommend for study that would answer my questions, or help me understand enough to ask a smarter one?

As far as my understanding goes, performing a .so injection at least on Linux systems is much easier: you just need to set up an LD_PRELOAD variable before running the program and that's it. See, for example, here [0].

And it is sometimes useful. One thing I can recall when this was necessary when I had an old webcam which did not work with Skype (a native application, at that moment) under Linux because of incompatibility with V4L2. To make the camera work, I had to do the LD_PRELOAD trick to preload a compatibility library (see here [1], search for "v4lcompat"). Another example, provided in [0], is overriding the default memory allocator.

Another, more coarse-grained way to manipulate the way libraries are loaded is to use the LD_LIBRARY_PATH variable. I believe it is currently used by Steam to specify its own set of libraries.

Granted, this is not really a DLL injection as it is usually understood (adding code to a running process), but it is the same thing as described in the article, as far as I can tell.

[0]: https://stackoverflow.com/questions/426230/what-is-the-ld-pr... [1]: https://wiki.ubuntu.com/SkypeWebCams

edit: grammar

Both the LD_PRELOAD and LD_LIBRARY_PATH variables are ignored for setuid programs, and if the program was started by something else you won't be able to change these variables. The issue here is not injecting code into a process you control, it's injecting code into a process running under a different account.

I'm far from an expert, but my guess is that the quote

> "Windows provides multiple ways to do it," he said. But DLL hijacking isn't limited to Windows, he said -- noting that it can apply to Macs and Linux, too.

is an artifact of the reporting, and not worth head scratching about.

The exploit would look completely different on Mac or Linux. As far as I know.

I was about to say this.

My Debian machine updates software through apt + dpkg, and I installed Skype via the Skype repository. Why would Skype for Linux then choose to bundle its own updater, thereby breaking the integrity a package manager provides?

Would you really be certain a commercial company buisness is going to care about correctly packaging for a flavor of linux? Some companies wil do this, even more so if they work with FOSS and linux. But in general, especially for companies on the proprietary train, I wouldn't be so sure.

If skype is in the base set of packages, I'd expect debian to require proper packaging. But if this is in some third party package, there are no such guarantees.

That said, maybe some third party package that just installs the normal (auto-updating) version into /opt or /usr/local might be an option. It is better than having no installer, and shouldn't break too much of your package manager. Proper clean-up on uninstall is the only real issue I can think of.

Lots of programs I have try to update outside dpkg: Chrome, Intellij, VS Code.

> Lots of programs I have try to update outside dpkg: Chrome, Intellij, VS Code.

Chrome and vscode have their own apt repositories. I don't know about intellij, but at least for the other two you just have to install them using their repos, and not using the dpkg package directly.

On Windows, for legacy compatibility reasons, the default DLL search path includes the directory the executable is located on by default. On Unix, that's not the case.

I'd recommend the following study material:

- Windows: "Dynamic-Link Library Search Order" https://msdn.microsoft.com/en-us/library/windows/desktop/ms6...

- Linux: http://man7.org/linux/man-pages/man8/ld.so.8.html

Maybe it's pedantic, but I wish security reporters wouldn't list their pubkeys and signal # on a page that isn't served over TLS.

The article mentioned that the bug reporter claimed that MacOS and Linux were also possibly affected. I run Skype on Xubuntu and it is installed via apt and a signed repo / package. Also Linux by default doesn't have '.' in the search path for dlopen() / ld.so.

Technical information is here: http://seclists.org/fulldisclosure/2018/Feb/33

Few years ago after not logging into Skype for few months when I have launched Skype I was logged in automatically to another person's account (similar in name to my own, but with additional prefix). It happen few times in period of 2-3 years. When I tried to report it, support staff supposedly handed the info to their supervisor and that's was it. Fortunately web client had resolved such issues.

An interim solution could be to install the UWP Skype app from the Store. I don't think it relies on Updater.exe for patches.

Yeah, the article seems to fail to mention that the current version of Windows, which almost everyone had two years to upgrade to for free, has a version of Skype that isn't vulnerable. Given that Windows 10 has been out since 2015, and everyone with a Windows license going back to 2009 had a free upgrade path, failing to mention that Skype on Windows 10 (they don't recommend classic Skype for Windows 10 users) isn't vulnerable borders on the FUD barrier.

I don't know if it's still the case, but is the UWP a crash-prone nightmare that doesn't have feature parity with the older client family?

It's gotten significantly better over time. I can't remember the last time it crashed, sync between clients of the chat log is kinda wonky sometimes but that's just Skype in general. Not positive on feature parity, I've been on the UWP version for quite a while and couldn't tell you what's different anymore.

I've literally had to go out to unfuck a Skype UWP install onsite tonight, in what may be a freak co-incidence.

Skype decided a perfectly working webcam was permanently in use by something else. It wasn't, but a uninstall and reinstall of the app cured it.

Skype needs a rewrite. I don't like saying "rewrite" but I also hate Skype's messaging system.

The new Skype version has been terrible, at least on macOS.

What are some good alternatives that offer group calls and screen sharing?


Surprisingly good. No account required, no limit on number of people, good screen sharing, works everywhere(because web-based).

That's because they rewrote their native Cocoa application in Electron and threw away years of work that they had put into it making it decent along with it.

I don't know what those years of work were accomplishing, but they didn't make Skype decent.

Skype was decent a decade ago, and it has declined since then.

That may be true, but the Cocoa version was still better in terms of performance and usability.

That's nothing the sharp decline that was version 8.0.

The new Skype is so bad, we joke that it must be malware. The design was bad already, but holy eyesore. At least the MacOS version works.

On android, when I log in as my account, the only contacts I have are those from my sisters account (???) and none of my subscriptions are there so I can't even make calls that require Skype credit even though my account has credit. I had to add my wife as a contact and none of my chat history with her showed up. As close to unusable as it comes...

I wonder what the engineering team is doing over at Skype HQ. I can't even see my message history with the latest overhaul/update. I would migrate to a new platform but most of my friends are already on Skype, thus migrating to another would be a hassle.

Hangouts, FB Messenger.

Hangouts has terrible performance and I won't force people into using anything FB related.

We found that Hangouts was the most resilient, followed by FB Messenger. All better than Skype. (Of course all 3 are terrible from a lot of aspects, mainly they come with having a Google or FB account.)

Slack is good for 1-1 calls though.

And of course there are possibly hundreds of free and open source alternatives, but I don't know of any that can be easily used from a browser.

I hope the Mattermost video-audio chat ( https://docs.mattermost.com/deployment/webrtc.html ) gains enough momentum to become a well established alternative.

Slack could be a good option, it has group calls and screen share, but my company won't pay for it.

Discord has both!


Time to use the web client.

Or not at all, I haven't had a need for skype but the last client I used was the web client on Linux.

I've had good experience with Jitsi Meet (https://meet.jit.si). You can run it from a browser, it's very pleasant and works quite well. Plus, it's open source.

Thank you. Just tried it and it works great in Chromium.

It's not "nasty" at all, it's an irrelevant bug, since local account security is easily bypassable in a lot of ways.

It's also trivial to fix: just create a directory in Temp and put the executable there instead of directly in the Temp directory.

Absolutely nothing surprises me with Skype anymore. Sadly.

Messages do not get delivered to iPhone, iPad and Mac. Only pick two. Pick random two.

Not sure what Microsoft's plan for Skype was. But I don't see it working out either way.

I must be missing something obvious here. Why can’t skype just hard code the locations and hashes of the dll files it needs to load? Why is Skype loading random DLLs from user accessible folders? I must be misunderstanding how Windows programs use DLLs and why it needs to just search for them.

Edit: @jwilk in the comments here pointed to a better article about the security vulnerability [1]. Based on the technical details, there seems to be no reason why Microsoft could not issue a very quick fix loading the DLL from the secure location.

Important quote in my eyes:

“The engineers provided me with an update on this case. They've reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update. The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client.”

In other words, it seems Microsoft/Skype doesn’t care about security at all. A couple of lines to fix the bug, in theory, but Microsoft is too busy to do it. Doesn’t make sense, unless a new version would have been released shortly, but it has been 4 months between that email and disclosure.

[1]: http://seclists.org/fulldisclosure/2018/Feb/33

> A couple of lines to fix the bug, in theory

Yes that's all it takes. No code reviews, security review, integration testing, quality assurance testing, compatibility testing, or validation. None of the work on the installer or updater. No release notes or other communication to the community.

Just a couple lines of code. Easily done before morning coffee.

> No code reviews, security review, integration testing, quality assurance testing, compatibility testing, or validation.

If this was a small startup, I can absolutely see those being hurdles. This is Microsoft on a product they've had for 20+ years that is a major part of their platform - those things should be mostly automated and well oiled machines.

A mature enterprise level company has no excuses for "QA is hard!" or "We can't validate patches!" for a product they sell. I don't expect them to get this out in ten minutes, but they should be able to manage a patch in 24 - 72 hours for a fairly critical and relatively easily solved security bug.

As a former Microsoft employee, my experience was that the longer a product was around, the harder it was to figure out who understood any part of it well enough to change something.

I would guess I averaged about 10 lines a month on my project that had been around for decades. Making even slight tweaks required dozens of meetings, design discussions, functional and performance testing, etc. etc. It took an eternity.

Microsoft is still actively patching Skype. Here's an example of them patching what sounds like a similar DLL flaw just last year:


And don't forget that the product work as expected in most cases and many changes are not justified.

The bike shed won't get painted to a new color just because a the new middle manager asked for it.

Ironically I would comment exactly what you did with, but the roles reversed:

“If this was a small startup I couldn’t see those being hurdles but at a behemoth like MS with an almost 2 decade old product I can.”

I feel like you've got those reversed. In small startup the bug fix would be deployed to production before it's committed to source control.

In a large enterprise the process isn't too hard, it's just complicated.

I was neither justifying or admonishing MS for this issue, I was just responding to a gross trivialization of the process that I found offensive.

> 24 - 72 hours for a fairly critical and relatively easily solved security bug

Let's see. How many microsoft employees would it take to change a lightbulb? ;-)



> That initial five minutes of dev time translates into many person-weeks of work and enormous costs

This is just to add an interesting article on top of the sibling comment from the MS employee; nothing's easy in the engineering of a large product.

I'm guessing if they fix this bug the simple way they break the entire product and the proper way is many months of work (entire eco-system restructure).

> code reviews, security review, integration testing, quality assurance testing, compatibility testing,

Valid counter-criticism of the "just a couple of lines of code" line generally, but four months is a long time since disclosure and that is a lot of morning coffees.

I wasn't defending Microsoft, just responding to the trivialization the op made.

According to the article, Microsoft is dedicating resources to a new client which won't exhibit the flaw.

So I guess that means either they examined the flaw and determined it wasn't a high enough risk to warrant patching, or they don't care. Dealer's choice I guess.

Maybe the number of people using Skype these days is insignificant? I tried to use it about a year ago and noped the hell away after 5 minutes.

As others have already noted, yes, it’s a pain ship fixes in a company setting, and I fully understand that. On the oth r hand, 4 months for no fix is inexcusable.

I think this is a response to the headline, which specifically mentions a "massive code rewrite".

Luckily 'they don't care about security at all'. They just looked into it for fun when the report came in.

"Can't you just..."

Like nails on a chalkboard.

Bureaucracy is hard, but so is losing clients or getting sued by an enterprise customer for negligence in handling a known security hole in a timely fashion. Corporations can become extremely agile when there's money on the line.

I enjoyed your retort, but I'll note that it being "just a couple lines of code" at least should imply that this is no harder than other security fixes, which somehow do make their way out faster than main releases.

This is due to the way that Windows loads DLLs, there is a defined search order and the current working-directory is one of the locations.

There have been a lot of write-ups on this topic on Raymond Chen's blog, here is a good example:


If that were all there is to it, would this not be an issue for all Windows applications, not just Skype? Is it just Skype that puts the current working directory in the list, or at least in a position where it can be used to preempt the loading of the correct DLL?

The link you provide as an example suggests that this sort of thing might be done to facilitate testing, but again, that doesn't seem to be a compelling reason for not fixing it now - 'ship what you test' is a good principle, but it does not preempt 'fix known security holes.'

It is an issue for all Windows applications.

There was a month when 50%+ of the traffic on full-disclosure@ was just one person repeatedly announcing newly discovered problems with various Windows software that all involved search-path problems ("DLL hijacking" or related issues).

There's at least one author who is super keen on using the phrase "binary planting" to refer to a similar class of attacks.

Well, I guess not all Windows applications are run as the SYSTEM account, but the Skype SKY-tmp is? I'd assume, at least, that programs intended to run as the SYSTEM account does a better job of loading DLLs from secure locations.

In other words, the Linux equivalent would be a setuid executable that doesn't properly ignore LD_PRELOAD_PATH.

Well, the system executable should not be run as root from /tmp obviously.

Its an issue with all windows applications but not all windows applications have the same elevated permissions that skype seems to

That doesn't mean you cannot load a DLL manually from a static location: https://msdn.microsoft.com/en-us/library/windows/desktop/ms6...

I was just about to come back here and mention that. The article and comments that @stevekemp linked to provided a lot of insight, but as you mentioned, there are ways to prevent exploits of that nature, which the comments in the article point to also. Something still seems to be missing from my understanding of what Skype is doing...

The cynic in me thinks this is already known and is in use by a "strategic partner" as a vector. The next version will only make it harder to find and exploit.

Your comment reminded me of this: https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hac...

I doubt this was intentional at first, but the fact that they don't want to fix it is very fishy.

That is a very different issue, as there the concept is that the original file in the original location is being replaced. As is stated in that post, at that point the person could just as easily replace the program itself with a modified version of the entire program. That is not a security issue in the software.

You can actually control most of this using an application manifest. The advantage being you can prevent any non-"known" dll from loading from any folder it's not supposed to. Moreover you can ensure that it's embedded in the binary so if someone tries to modify the manifest it breaks the cryptographic signature on the binary.

To anyone going "but what if they replace the binary!" well then they've already gotten past the air-tight hatchway.

It would be interesting to see Google Project Zero’s take on it. It’s a shame they didn’t discover it because I’m sure the back and forth between them and the Skype devs would have been really interesting.

PZ almost certainly is aware of at least the general issue - Windows DDL hijacking posts hit the Full Disclosure list pretty much weekly. It is a very well-known issue, at least among those who subscribe to security lists, approaching dead-horse status.

> Why is Skype loading random DLLs from user accessible folders?

Good question. Almost every time I want to use some new security tool - like say AppLocker - Skype craps out on me, because it seems to be so badly programmed, and it's all over the place in Windows. It's why I stopped using the native app completely, and only use the web version whenever I still need to use Skype.

> Why is Skype loading random DLLs from user accessible folders?

%SYSTEMROOT%/Temp doesn't seem to be user-readable at all, so I'm having trouble understanding how you write anything there without already having escalated permissions.

I need to test this later as I only have access to an unprivileged account at the moment, but based on comments online (https://stackoverflow.com/a/11917816), the folder is write only for unprivileged users (FILE_ADD_FILE).

You're correct, I was able to write a file without privilege escalation, and then I verified it was there by escalating. Thanks.

If anyone is wondering, it's a little bit tricky to check because without the read permission, Windows Explorer can't see what the permissions are.

More probably this is something they need for a reason we don't know about but won't disclose.

A bug sure, but does anyone really care much about local privilege escalation on Windows? On a system where Skype is installed?

Someone without 2FA might check their email on that system. Their bank might send them email...

As far as I've seen, no one noticed that this is about the old legacy version of Skype, the "rewritten client" they talk about in the article is the current Electron-based client. That one and the UWP version are not affected by this.

Oh yes please, whatever the reason. The current Skype is rubbish. Make us something nice!

It is interesting to note that there is no option to control or disable updates in new Skype RT for Windows. Opera browser also doesn't allow user to control updates.

suid programs and the installer is de-facto such a beast should not be written if one can avoid it. Providing users with sufficient powerful APIs and installing software on a per user level is one way to avoid this mess. Another is to delegate installation to the operating system and not rolling your own. Anyone else messing up this way may be able to point to Microsoft. Now those folks at Skype are here in a bit a pickle.

Sure they can't...

P.S check out Microsoft teams!

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact