You might recall that I posted a story about a Skype bug that could lead to you getting pwned by hackers, and that Microsoft wasn’t gong to fix it. Well, it’s actually been fixed.
Confused? Yeah. So was I. Hang with me and I’ll explain.
According to Skype program manager Ellen Kilbourne via a support forum post, the vulnerability is present in Skype for Windows versions 7.40 and lower. Last October, Microsoft released version 8 without the flaw. Thus the fix is to upgrade to the latest version.
So, how did we end up with this becoming an issue?
The issue was discovered by German researcher Stefan Kanthak. In the paper where he disclosed this bug, he says this:
“The engineers provided me with an update on this case. They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update. The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client.”
Clearly version 8 was the new client that Microsoft was speaking of. Thus I have to assume that either he believed that Microsoft wasn’t going to do anything, or he mistook what Microsoft said. And as a result he waited three months and disclosed something that had already been fixed. In other words, it was an honest mistake.
And with that, you can go back to using Skype without worrying that you’re going to get pwned.
Like this:
Like Loading...
Related
This entry was posted on February 16, 2018 at 8:30 am and is filed under Commentary with tags Skype. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
That Skype Bug That Microsoft Wasn’t Going To Fixed Is Actually Already Fixed
You might recall that I posted a story about a Skype bug that could lead to you getting pwned by hackers, and that Microsoft wasn’t gong to fix it. Well, it’s actually been fixed.
Confused? Yeah. So was I. Hang with me and I’ll explain.
According to Skype program manager Ellen Kilbourne via a support forum post, the vulnerability is present in Skype for Windows versions 7.40 and lower. Last October, Microsoft released version 8 without the flaw. Thus the fix is to upgrade to the latest version.
So, how did we end up with this becoming an issue?
The issue was discovered by German researcher Stefan Kanthak. In the paper where he disclosed this bug, he says this:
“The engineers provided me with an update on this case. They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update. The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client.”
Clearly version 8 was the new client that Microsoft was speaking of. Thus I have to assume that either he believed that Microsoft wasn’t going to do anything, or he mistook what Microsoft said. And as a result he waited three months and disclosed something that had already been fixed. In other words, it was an honest mistake.
And with that, you can go back to using Skype without worrying that you’re going to get pwned.
Share this:
Like this:
Related
This entry was posted on February 16, 2018 at 8:30 am and is filed under Commentary with tags Skype. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.