back to article That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH

Microsoft has poured a bucket of cold water on people freaking out over a supposedly unfixable security flaw in Skype. The infosec world was atwitter this week over fears and headlines of a nasty bug in Redmond's video chat app that apparently cannot be addressed without a massive code rewrite. That the programming blunder was …

  1. NoneSuch Silver badge
    Joke

    It's NOT an accidental bug.

    It's an intentional NSA backdoor. Please get your terminology right.

    1. Anonymous Coward
      Anonymous Coward

      "It's an intentional NSA backdoor. Please get your terminology right."

      Are you confusing Microsoft with OpenBSD? https://www.theregister.co.uk/2010/12/15/openbsd_backdoor_claim/

      1. Hans 1
        Boffin

        @AC

        Are you confusing Microsoft with OpenBSD? https://www.theregister.co.uk/2010/12/15/openbsd_backdoor_claim/

        Ok, would you please be so kind as to first read the article you linked to as well as all the resources, you will notice it was "tried" and "failed". Theo published the email for openness, I doubt he would have if there had been an unpatched issue.

        Nobody, ever, can confuse OpenBSD with Microsoft, Microsoft has more zero days found in its default Windows configuration EVERY SINGLE MONTH than OpenBSD has had in the decades it's been around (2, at the time of this writing [not sure this standard sentence is needed in this particular case]).

        No wonder you post AC, FUD, lies, and more FUD, RedmondBot.

  2. Dan 55 Silver badge
    Trollface

    The things they'll do to get people to update to version 8, eh?

  3. Anonymous Coward
    Anonymous Coward

    I'll quickly check my Skype version

    Version: 16

    Well that clears that up then..

    1. Tim 11

      Re: I'll quickly check my Skype version

      Hmm, I'm on version 7.40 (the proper windows version, not the UWP version). if I click "check for updates" it says I have the latest version. I have no wish to "upgrade" to the UWP version so I guess I'm sticking with V7 for the moment

      1. Michael Wojcik Silver badge

        Re: I'll quickly check my Skype version

        Hmm, I'm on version 7.40 (the proper windows version, not the UWP version). if I click "check for updates" it says I have the latest version.

        This is correct. There are no updates for Skype v7, and the hole is still there. Skype 8 is a significantly different piece of software from the traditional Skype desktop client, which ended at v7.

        Kanthak pointed out today that v7 is still available from Microsoft.

  4. Richard 51
    Alert

    WTF

    Just checked the version on my Windows 10 lappy, it said 7.4 so duly try to update it and Win 10 goes into one of its update cycles which means I got to stare at the bloody bluescreen while it updates itself for 20 mins.

    Return to Skype update it and check 7.8 (that's not right) try again and wtf its now back to 7.4 and updater says i have the latest version.

    Am I going crazy, don't answer that. The correct response is YES!

  5. Test Man

    Issue is with the INSTALLER. not Skype.

    If you have Skype installed already, you're fine. No need to update to 8 (but obviously Microsoft would *prefer* it).

    Installer for 7.40 has been removed from the servers (apparently). Website was offering the 8 installer since late last year anyway (unless you had Windows 10 in which case it directed you to the Windows Store for that version).

    1. Michael Wojcik Silver badge

      Issue is with the INSTALLER. not Skype. If you have Skype installed already, you're fine.

      This is completely incorrect. The issue is with the updater, which is present in all installations of Skype v7 and earlier. On a standard Windows install, it's in %ProgramFiles(x86)%\Skype\Updater\Updater.exe.

      Thanks for playing, though.

      (And I see you're in good company, since 7 other people apparently couldn't be bothered to check your erroneous statement, but simply voted your post up. Sigh.)

  6. Anonymous Coward
    Windows

    Yawn

    I'm getting fed up with these shroud-waving securidee researchers. The probability of these exploits is vastly smaller than one of my staff blabbing titbits down the boozer.

    Also I have Skype 12. Two louder.

    1. the spectacularly refined chap

      Re: Yawn

      I tend to agree, some of these "researchers" seem more interested in publicity than anything else. Giving a bug a non-descriptive but media friendly name is a first indication, a logo is even worse.

      Here, I simply can't imagine the kind of feedback supposedly given coming from the likes of Microsoft. I can easily imagine feedback from a lone open source developer along the lines of "bigger, that'll be a nightmare to fix" but comments about the "difficulty" of the fix from an organisation the size of MS and established bug and security teams... I think not.

    2. Anonymous Coward
      Anonymous Coward

      Re: Yawn

      Even with the bug, surely they could just extract the installer temporary files to a protected folder rather than userland accessible folder, simple fix?

  7. Anonymous Coward
    Anonymous Coward

    Since I'm no longer updating Skype to new versions...

    ... I guess I'm fully protected from this bug.

    Skype 8 is a joke even a five year old would find irritating.

  8. This post has been deleted by its author

  9. Nate Amsden

    MS killed skype

    their biggest mistake was breaking all backwards compatibility(which broke countless skype systems whether on phones or TVs or other devices that would never get upgraded). Close second perhaps was terrible new skype clients at least on windows and linux (which probably share a lot of code, similar to how slack does things which is equally bad).

    I just tried to fire up skype 4.3 on linux and it just exits when I try to login(I know it's not compatible).

    fortunately I never really had much dependance on skype outside of work and work switched to slack a 2 or 3 years ago, initially I missed skype, but skype has gone down the same road as slack(crap web app wrapped in a browser), so really isn't anything to go back to (for text chat at least, voice and video probably made up less than 2% of my skype activity). Slack was last restarted on my computer 1 week ago - 300MB of memory for a chat app(I have seen it over 1G before). Mozilla seamonkey started at the same time (computer bootup), it is using about 310MB of memory.

    1. Evil Auditor Silver badge

      Re: MS killed skype

      Well, to my taste, skype always had a crap user interface. And since it requires IE to work (WTF?) eventually it totally killed itself for me. That is after it died on my dated mobile for lack up upgradeability.

      R.I.P.R.I.H. skype

      (Rot In Hell)

  10. Anonymous Coward
    Anonymous Coward

    Carp

    Have they fixed the all data routed through super nodes flaw so your data can be harvested?

    1. Anonymous Coward
      Anonymous Coward

      Super nodes?

      That sounds like p2p, which is not what Skype is nowadays. Of course it's centralized and spy-friendly.

  11. Anonymous Coward
    Anonymous Coward

    Proud to say...

    I've never "Skype(d)"

    (that I know of)

  12. Anonymous South African Coward Bronze badge

    Skype still a thing, what with its new and horribilus interface?

  13. Milton

    Universally Irritating

    I have to use Skype with some relatives in the Far East who insist upon it, but if course it's been an insecure horrible POS since even before MS got their grubby mitts on it. The "upgrade" last year, which further ruined the UI (taking a leaf from the Mozilla playbook?) made me go to the trouble of downloading and reinstalling an older version, and switching off auto updates on Android.

    Notwithstanding that Skype is crappy anyway, what's going on with the constant obsession with "improving" UIs that were working perfectly well, familiar to the user, behaving in a predictable fashion - replacing them with new and fashionably nasty ones?

    1. Anonymous Coward
      Anonymous Coward

      Re: Universally Irritating

      "what's going on with the constant obsession with "improving" UIs that were working perfectly well, familiar to the user, behaving in a predictable fashion - replacing them with new and fashionably nasty ones?"

      That's an easy one to answer, it's a Millenial developer and designer job creation / continuation scheme!

      Think about it, many products, once created, then improved for a short while, they really only need a little tweak or bug fix from time to time. Continuously keeping the team "busy" in "improving" the product is simply creating work when none is really justified. Keeps them off the streets, keeps tax revenues, retains sense of purpose - all these are good things, but these brains could be better purposed to fix problems and improve stuff elsewhere.

  14. Anonymous Coward
    Anonymous Coward

    Unfixable Bugs

    We've all seen those. Bugs that, at first sight, seem so embedded in the surrounding systems that nothing short of a nuclear explosion would shift them. We say as much to our bosses, many times (because they never listen the first time) and finally the message gets through and utimately someone puts out a press release or updates the original issue as Can't Fix.

    Meanwhile the problem is eating away at our minds while we're munching on our cornflakes, and suddenly we realise that our first fears were completely unfounded, and a fix is a simple one-liner in a seemingly unrelated part of the code. We try it out, and lo and behold it works. Who would a thunk it? Job done. :)

    (The more cynical reader might suggest we made the bug appear to be impossible to fix so that we could claim extra glory later on, but we don't do that. We're professionals. Honest, guv.)

  15. Anonymous Coward
    Anonymous Coward

    You spelt Skype wrong

    It's spelt 'Shite'

    1. fedoraman

      Re: You spelt Skype wrong

      No, it's spelled 'Lync' ;-)

  16. jms222

    Current directory in path

    Next time somebody complains about UNIX family operating systems not having the current directory in the path this is something else to point them to.

    Acknowledging the differences between DLLs on Windows and executables on UNIX the issues still seems ever so similar to me. Though you really really shouldn’t be doing system stuff in a directory writeable by others.

  17. tempemeaty
    FAIL

    Skype is garbage anyways

    After having been forced by Microsoft to upgrade anyways, I can't believe how much worse Skype has gotten. It's amazing it's so bad. I'm in shock Microsoft would hang their name on this software. It blows me away any organization release to the public software this buggy.

  18. Jos V

    yeah... but but but..

    "Far be it from us to run to Microsoft's rescue, but the vulnerability is present in Skype for Windows versions 7.40 and lower. In October 2017, Microsoft released version 8 without the flaw, so if you kept up to date, you're fine. If you're running version 7 for some reason, get version 8."

    Ok, going to Help->about:

    Skype Version 7.40.0.151.

    Right, so let's go help-> Check for updates:

    "You already have the latest version of Skype installed"

    So... it seems not to automatically update.

    If the now brand new download from the MS site doesn't work, I'll be right angry.

    1. Test Man

      Re: yeah... but but but..

      I wouldn't worry about it, the flaw is in the installer, NOT Skype itself.

      As long as you don't use a 7.x installer to install that version of Skype, you are fine. You're fine if you already have Skype installed.

  19. Anonymous Coward
    Anonymous Coward

    No doubt Microsoft did this researcher the courtesy of letting him know they'd patched the bug when they did. What? They didn't? Well, I guess there's the cause (keeping everyone in the dark) to the effect (publicly revealing the bug). Someone in this process was an arrogant pr*ck, and I'm thinking it wasn't the researcher. Give them enough rope...

    1. IneptAdept

      I think it was the researcher

      I think that Microsoft knew what would happen, I assume the researcher messaged Microsoft to tell them that he was releasing this information .....

      Oh what no he didnt because he wanted the internet points and fame it would get him...

      Microsoft are not the company they used to be they are getting better with Satiya at the helm

      And the sooner people realise that the better

      Dont get me wrong they still fuck me off continuously..... Skype for business doesnt store the previous chat in the same window so have to go through Outlook to find them

      Some of the forced updates are annoying but because of people not updating their shit and then moaning at microsoft for insecure software....

      As I said nowhere near as bad as they were, but you are the sort of prick who would go around going Micro$hit etc fucking dickhead

      1. ArrZarr Silver badge
        Mushroom

        Re: I think it was the researcher

        +1 for commenting on how SfB is the most miserable example of a chat program to have ever existed. I would rather use smoke signals generated from my own burning flesh than use it </hyperbole>

      2. Michael Wojcik Silver badge

        Re: I think it was the researcher

        I think that Microsoft knew what would happen, I assume the researcher messaged Microsoft to tell them that he was releasing this information .....

        Oh what no he didnt because he wanted the internet points and fame it would get him...

        The disclosure history is in Kanthak's posts to BUGTRAQ and Full Disclosure.

        Perhaps, just perhaps, you could do five seconds of research before throwing mud at your betters?

  20. shogenson1

    <<Notwithstanding that Skype is crappy anyway, what's going on with the constant obsession with "improving" UIs that were working perfectly well, familiar to the user, behaving in a predictable fashion - replacing them with new and fashionably nasty ones?>>

    Similar story:

    I don't know if any of the readers are users of eBay, but they basically lost me as a regular user due to this type of "UI improvement" issue.

    They had a really good mobile app that I loved and used it for about 3 years. Somone then decided it needed an update, which was crap. I was able to locate the install file for the version I liked after finding lots of rants about the hated new version. Someone had posted a link to install the version I liked. I did just that and then kept it from updating that application. Happy camper... usually checked on watched items and search lists almost daily.

    A couple weeks ago I launched the app and get the message: This version is no longer supported. Please click here to upgrade.

    I did, expecting the worst. I was right.

    The new UI is total crap. Spent about 5 minutes trying to navigate with it and then removed the app from both my mobile devices (phone, tablet) and now only access via the PC where the interface DOES still work like I want it to.

    If eBay is trying to reduce user traffic, they're doing a bang-up job. What kind of idiots run a business this way? If it ain't broke, don't fix it!

  21. Pink Duck
    FAIL

    Skype Desktop v8 on Win 10

    A delightful 58 MB download that, if up-to-date, will tell you to go use the Microsoft Store instead to get version 12, have no system tray icon, and additional clicks for everything.

    Or, run the installer having set compatibility mode for Windows 8. Job done, realise your mistake, then go back to 7.4

  22. Anonymous Coward
    Anonymous Coward

    Everyone should start weaning themselves off Skype.

    There are better alternatives out there.

  23. PhilB

    "so if you kept up to date, you're fine"

    Okay, except for the fact that Microsoft don't notify you that 7.x is discontinued when you start or check for updates, v8 was never offered as an update for v7, and despite v7 being installed for a bunch of people as a 'feature update' from WU, v8 is not offered via that channel either.

    v7 being 'discontinued' also did not stop MS from continuing to serve ads - many of which had mismatched/invalid certs - to v7 users. It was only after I bitched at them months ago about this ad issue persisting that they suddenly went "oh, you should be using the new version 8 now".

    It's pretty rich to take a crack at users for 'not keeping up to date' when a regular user has no reasonable way of knowing. Or are we all supposed to just check every vendor's webpage for new versions of their product which ostensibly has an update feature?

  24. Salsarow

    So this is NOT fixed! I've been hacked and now I'm being blackmailed!

    Is there any lawsuit against Skype/Microsoft because of the blackmailing that has resulted from this flaw? Is there a way, a program, to hack them back? Is there a way to send the blackmailer a packet that fries her PHONE and COMPUTER?

    Is there a law enforcement agency that will pursue a blackmailer?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like