The IT Nerd

You might recall that I posted a story about a Skype bug that could lead to you getting pwned by hackers, and that Microsoft wasn’t gong to fix it. Well, it’s actually been fixed.

Confused? Yeah. So was I. Hang with me and I’ll explain.

According to Skype program manager Ellen Kilbourne via a support forum post, the vulnerability is present in Skype for Windows versions 7.40 and lower. Last October, Microsoft released version 8 without the flaw. Thus the fix is to upgrade to the latest version.

So, how did we end up with this becoming an issue?

The issue was discovered by German researcher Stefan Kanthak. In the paper where he disclosed this bug, he says this:

“The engineers provided me with an update on this case. They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update. The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client.”

Clearly version 8 was the new client that Microsoft was speaking of. Thus I have to assume that either he believed that Microsoft wasn’t going to do anything, or he mistook what Microsoft said. And as a result he waited three months and disclosed something that had already been fixed. In other words, it was an honest mistake.

And with that, you can go back to using Skype without worrying that you’re going to get pwned.

ZDNet reports of a security flaw in Skype’s updater process that “can allow an attacker to gain system-level privileges to a vulnerable computer.” If the bug is exploited, it can escalate a local unprivileged user to the full ‘system’ level rights. Which means that a hacker can do anything they want.  What’s worse is that Microsoft, which owns Skype, won’t fix the flaw because it would require the updater to go through “a large code revision.” Instead, Microsoft is putting all its resources on building an altogether new client.

Microsoft has this really wrong. Now that this bug is public, it is only a matter of time before the pwnage begins. And what will Microsoft do then? Likely throw all its resources towards trying to stop the pwnage. So they might as well do that now and protect their user base in the process. But I guess the folks over in Redmond don’t see it that way. Thus, consider warned if you’re a Skype user.

It seems that China doesn’t like Skype. So much so that they’ve apparently banned the messaging app on all platforms that Skype is available on. Microsoft who owns Skype says that this is only “temporary”. But that’s just spin. What China likely wants is the ability snoop on calls and keep track of who’s using the app. I seriously doubt Microsoft will go for that. Thus don’t expect it back in the country anytime soon.

It seems that Microsoft wants to make Skype a whole lot more relevant to those who use social media a lot. Here’s some details from a press release from the folks in Redmond:

Rebuilt from the ground up, the new Skype vastly improves the ways you can connect with your favorite people and, of course, chatting is front and center. We’ve made group chats more lively, expressive, and—most importantly—personalized, so you can chat the way you want. With the new Skype, you’ll have countless ways to share life’s moments together, every day. Wherever life takes you, Skype allows you to seamlessly create, play, share, and do more with the people you care about most.

How are they going to do that? Here’s a video that shows the new Skype in action:

The newest update of Skype will become available to Android users over the next few months. Support for iOS is coming sometime in July. Desktop support for both PC and Mac will become available to users sometime this summer.

For those of you who use Skype WiFi to get online when tethering and paying some outrageous fee for WiFi doesn’t make sense, I have bad news for you. This was posted on the Skype WiFi page:

If you click on the FAQ, it says this:

We’re retiring Skype WiFi globally so we can better focus our efforts on bringing you the best possible experience through our core Skype features.

Now, I have to admit that I have not used Skype WiFi lately  as WiFi is pretty much everywhere. However it has come in useful at times. Thus I will be looking for other options as something like Skype WiFi is handy to have. I’ll post any alternatives that I come across in a future post.

The headline says it all. But the question is why should Windows and Mac users of Skype update at all? The answer is quite simple. If they don’t, they won’t be able to log in. Which means they won’t be able to use the popular messaging client as revealed in a post from late last week:

Skype for Windows desktop (7.16 and below) or Skype for Mac (7.0 to 7.18) will no longer be able to sign in.

Thus if you use Skype, make sure you update today avoid problems tomorrow.

If you run the macOS/OS X version of Skype, updating it now would be a really good idea. Trustwave’s SpiderLabs analysts discovered a hidden backdoor in Skype for Apple’s macOS and Mac OS X operating systems that could be used to spy on users’ communications without their knowledge. The backdoor, which has apparently been around since 2010 could allow any malicious third-party app to bypass authentication procedure and provide nearly complete access to Skype on macOS/OS X. Meaning:

• Read notifications of incoming messages (and their contents)
• Intercept, read and modify messages
• Log and record Skype call audio
• Create chat sessions
• Retrieve user contact information

None of that is good of course, but the issue is fixed in Skype version 7.37 and later. Thus if you use Skype, you should check to see if you’re running 7.37 or later to keep yourself safe. And you should do it soon as there is proof of concept code out there as I type this. Which means that the bad guys will have attack code shortly.

Skype is a means for communication for many including yours truly. That’s why the Internet was abuzz when a message posted on the Heartbeat site which alerts Skype users to status issues that “we have detected an issue that is affecting Skype in a number of ways.”

Those ways include:

• You can’t change your status, so if you and your contacts are set up in Skype as being offline, none of you can go online, which means no phone calls can be exchanged.
• A “small number” of group chat messages aren’t being delivered
• You may have trouble signing into Skype as your credit balance and profile details are taking longer than usual to show up.

As I type this, Microsoft who owns Skype has identified the issue and is working on a fix, but service hasn’t been fully restored as of yet. If there’s any update to this, I’ll post it here.

UPDATE: As of September 21 2015 23:53 GMT, Microsoft says that Skype services have been fully restored