Earlier this week we reported about a bug in Skype’s native updater which potentially allowed hackers to gain complete access to a user’s system. The bug was discovered by German researcher Stefan Kanthak who claimed he had alerted Microsoft about it in September last year. Kanthak recently made his discovery public as he believed that Microsoft hadn’t fixed the bug.
According to Kanthak, the bug in Skype’s proprietary update mechanism left it vulnerable to DLL highjacking which allowed hackers to load malicious DLLs to gain access to the SYSTEM account.
Now, according to a recent post on Microsoft’s community forums, the company claims to have already patched the bug back in October last year. In the post, Skype’s program manager Ellen Kilbourne writes:
“At Skype, we take security very seriously…There was an issue with an older version of the Skype for Windows desktop installer- version 7.40 and lower. The issue was in the program that installs the Skype software- the issue was not in the Skype software itself. Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from out website skype.com…The installer for the current version of Skype for Windows desktop (v8) does NOT have this issue, and it has been available since October, 2017.”
Microsoft has recommended users to update to the latest version of Skype in order to continue using the service without the looming fear of any security vulnerabilities.
Those running the latest version of Skype have already been protected by the vulnerability for the past few months and any malware exploiting the vulnerability hasn’t been discovered yet. If you still haven’t updated to the latest version of Skype, you can head on to the website and download it right away.