Me, myself & IT

Skype – or Redmond, You’ve got a Problem!

Introduction
Problems: Problem № 1; Problem № 2; Problem № 3; Problem № 4; Problem № 5; Problem № 6; Problem № 7
MSRC Case 40550
Updates: Update № 1; Update № 2; Update № 3; Update № 4

Introduction

In May 2011, Microsoft^® bought Skype.

In 2012, Microsoft started to distribute Skype for Windows^™ Desktop to users of Windows^™ XP, Windows Vista^® and Windows 7, first through Windows Update as optional update 2692954 and 2727727, then through Microsoft Update as optional update 2876229, and made the latter available in the Microsoft Update Catalog.

Note: Microsoft’s designation of the initial installer as update is an euphemism!

Problems

Problem № 1

Their home-grown executable installer skypesetupfull(7.3.0.101).exe, the version available through Microsoft Update and the latest version available in the Microsoft Update Catalog, is susceptible to DLL spoofing alias DLL hijacking or DLL preloading, a well-known and well-documented vulnerability.

The CVE^® lists the vulnerability as CVE-2016-5720, the CWE^™ lists the weaknesses as CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element, the CAPEC^™ lists the attack as CAPEC-471: Search Order Hijacking.

On a fully patched Windows 7 SP1, the vulnerable executable installer loads at least the following DLLs from its application directory instead from Windows’ system directory %SystemRoot%\System32\: MSImg32.dll, OLEAcc.dll, RichEd20.dll, DWMAPI.dll or UXTheme.dll, ClbCatQ.dll and COMRes.dll.
Additionally it loads MZP.dll from the DLL search path.

On Windows Vista and newer versions of Windows NT, due to its embedded Application Manifest the executable installer requests administrative privileges and access rights: all DLLs it loads are therefore executed with administrative privileges and access rights too. An attacker who is able to place any of these DLLs in the directory where the executable is stored, typically the users Downloads directory %USERPROFILE%\Downloads\, gains arbitrary code execution with escalation of privilege.

Microsoft published advisories and guidance to avoid this beginner’s error, for example Dynamic-Link Library Security, Insecure Library Loading Could Allow Remote Code Execution, Secure loading of libraries to prevent DLL preloading attacks and Load Library Safely, which their own developers and their quality assurance but obviously ignore!

Problem № 2

The home-grown updater installed with skypesetupfull(7.3.0.101).exe is vulnerable too.

The CWE^™ lists its additional weaknesses as CWE-377: Insecure Temporary File, CWE-378: Creation of Temporary File With Insecure Permissions and CWE-379: Creation of Temporary File in Directory with Incorrect Permissions.

Once installed, Skype uses its own proprietary update mechanism instead of Microsoft Update: the program %ProgramFiles%\Skype\Updater\Updater.exe is run periodically under the NT AUTHORITY\SYSTEM alias LocalSystem user account, with the environment variables TEMP and TMP set to %SystemRoot%\Temp.
When an update is available, %ProgramFiles%\Skype\Updater\Updater.exe copies or extracts another executable as %TMP%\SKY‹abcd›.tmp alias %SystemRoot%\Temp\SKY‹abcd›.tmp and executes it using the command line

"%SystemRoot%\Temp\SKY‹abcd›.tmp" /QUIET

This executable is vulnerable to DLL hijacking too: it loads at least DWMAPI.dll or UXTheme.dll from its application directory %SystemRoot%\Temp\ instead from Windows’ system directory %SystemRoot%\System32\.
The directory %SystemRoot%\Temp\ is writable for unprivileged (local) users: its NTFS ACL entry (A;CI;0x100026;;;BU) grants members of the BUILTIN\Users group the permission to create files and subdirectories, and its ACL entry (A;OICIIO;FA;;;CO) subsequently grants full access to their own creations.
An unprivileged user who places a rogue DWMAPI.dll, UXTheme.dll or any of the other DLLs loaded by the vulnerable executable %SystemRoot%\Temp\SKY‹abcd›.tmp in %SystemRoot%\Temp\ gains escalation of privilege to the LocalSystem account.

Problem № 3

Version 7.3.0.101 updates to version 7.40, which has the problems of version 7.3.0.101 too, and does not upgrade to any newer version, neither through its vulnerable updater nor through Microsoft Update!

Problem № 4

The MSKB article Skype for Microsoft Update tells a lie:

Skype releases new versions of Skype for Windows throughout the year. To help you stay current with new functionality and features of the Skype experience, Skype is available through Microsoft Update.

Correct is: the version 7.3.0.101 offered through Microsoft Update was digitally signed on March 25, 2015 at 14:39:33 UTC, it was published on April 24, 2015 at 11:29:26 UTC, it was superseded, it is outdated, it is vulnerable, and Microsoft doesn’t fix it!

The MSKB article Skype for Microsoft Update tells a second lie:

To make it simple and fast for Skype users to upgrade to the latest version of Skype for Windows, we have integrated Skype into Microsoft Update. If you have Skype installed on your PC already, either directly from www.skype.com or through a preinstalled version on your PC, you will receive the latest version of Skype through Microsoft Update.

Correct is: Skype for Windows Desktop is not updated through Microsoft Update, but by a home-grown and vulnerable updater installed with the client, and the versions available through Microsoft Update or in the Microsoft Update Catalog do not receive the latest version of Skype for Windows Desktop!

Problem № 5

On February 14, 2018, Microsoft published their Update on Skype for Windows desktop installer – version 7.40 and lower, which is but wrong and misleading:

At Skype, we take security very seriously.

No, you don’t!
If Skype or Microsoft were really concerned about their users’ security, they would at least have published an advisory about 100 days ago to inform their customers, and would have removed version 7.40 and lower back then, everywhere!

Additionally, Skype would not implement and use an executable installer, but a Microsoft Installer package Skype-‹version›.msi, and it would not implement and use a proprietary updater, but Microsoft Update.
To discard these basic services offered by the Windows platform is a major design flaw, and to implement a vulnerable proprietary installer and updater instead is an epic failure!

There was an issue with an older version of the Skype for Windows desktop installer – version 7.40 and lower. The issue was in the program that installs the Skype software – the issue was not in the Skype software itself. Customers who have already installed this version of Skype for Windows desktop are not affected. We have removed this older version of Skype for Windows desktop from our website skype.com.

This issue still persists:

Users who have version 7.40 or lower installed don’t get version 8, neither through Skype’s vulnerable updater nor through Microsoft Update!
The vulnerable executable installer skypesetupfull(7.3.0.101).exe is still available through Microsoft Update!
The optional update 2876229 alias Skype for Windows Desktop 7.3 is still offered to users of Windows XP, Windows Vista and Windows 7 who don’t have this or version 7.40 installed, i.e. users who manually removed version 7.40 or lower or who manually installed version 8 are offered the vulnerable executable installer again!
The vulnerable executable installers are also still available in the Microsoft Update Catalog!

Note: Microsoft’s designation of this nasty vulnerability as issue is yet another euphemism!

The installer for the current version of Skype for Windows desktop (v8) does NOT have this issue, and it has been available since October, 2017.

Yet another lie!
All installers of version 8, first released October 30, 2017, available via https://go.skype.com/windows.desktop.download alias https://get.skype.com/go/getskype-skypeforwindows, still allow escalation of privilege, just in a slightly different way!

The executable installers Skype-8.9.0.1.exe, Skype-8.10.0.4.exe, Skype-8.10.0.9.exe, Skype-8.11.0.4.exe, Skype-8.12.0.2.exe, Skype-8.12.0.14.exe, Skype-8.13.0.3.exe, Skype-8.17.0.2.exe, Skype-8.18.0.6.exe, Skype-8.19.0.1.exe, Skype-8.20.0.9.exe, Skype-8.21.0.7.exe, Skype-8.21.0.9.exe, Skype-8.21.0.10.exe, Skype-8.22.0.2.exe, Skype-8.23.0.10.exe, Skype-8.24.0.2.exe, Skype-8.25.0.5.exe, Skype-8.27.0.85.exe, Skype-8.28.0.41.exe, Skype-8.29.0.47.exe Skype-8.29.0.50.exe, Skype-8.30.0.50.exe, and Skype-8.31.0.92.exe are vulnerable and have the problem 2 described above, on Windows XP SP3 alias Windows Embedded POSReady 2009 additionally the problem 1.
The executable installers Skype-8.14.0.10.exe, Skype-8.15.0.4.exe and Skype-8.16.0.4.exe are vulnerable and have the problems 1 and 2 described above.
The classifications CVE-2016-5720, CWE-377, CWE-379, CWE-426, CWE-427 and CAPEC-471 still apply.

Problem № 6

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

X:\>FileVer.exe /V Skype-8.31.0.92.exe
--a-- W32i   APP ENU        8.31.0.92 shp 62,518,512 09-26-2018 skype-8.31.0.92.exe
	Language	0x0409 (Englisch (USA))
	CharSet		0x04e4 Windows, Multilingual
	OleSelfRegister	Disabled
	CompanyName	Skype Technologies S.A.
	FileDescription	Skype Setup
	ProductName	Skype
	ProductVersion	8.31
	FileVersion	8.31.0.92
	LegalCopyright	(c) 2018 Skype and/or Microsoft
	Comments	This installation was built with Inno Setup.
…
X:\>

Problem № 7

According to Skype’s system requirements, their latest Skype for Windows Desktop supports Windows XP SP3 alias Windows Embedded POSReady 2009.

Users of these versions of Windows NT but can’t validate the authenticity and integrity of the executable installer Skype-8.31.0.92.exe: its digital signature misses the SHA-1 signature mandatory for these operating systems.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

X:\>SignTool.exe Verify /V Skype-8.31.0.92.exe

Verifying: Skype-8.31.0.92.exe
SHA1 hash of file: 8FA09E21B3149C68C30346EABFA0C97E7604638F
SignTool Error: WinVerifyTrust returned error: 0x80096010
	The digital signature of the object did not verify.
Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2011
    Issued by: Microsoft Root Certificate Authority 2011
    Expires:   23.03.2036 00:13:04
    SHA1 hash: 8F43288AD272F3103B6FB1428485EA3014C0BCFE

        Issued to: Microsoft Code Signing PCA 2011
        Issued by: Microsoft Root Certificate Authority 2011
        Expires:   08.07.2026 23:09:09
        SHA1 hash: F252E794FE438E35ACE6E53762C0A234A2C52135

            Issued to: Skype Software Sarl
            Issued by: Microsoft Code Signing PCA 2011
            Expires:   29.05.2019 21:07:41
            SHA1 hash: 0233B2BFDEB37561B67318D82AC4FBA9F89FA6A9

File is not timestamped.
SignTool Error: File not valid: Skype-8.31.0.92.exe

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

X:\>

Note: it also misses a counter signature alias timestamp!

MSRC Case 40550

The MSRC assigned case number 40550 to my vulnerability report and replied with the following statements:

The engineers provided me with an update on this case. They've reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update. The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client.
The updated client should be shipping in the next few weeks, and will become the supported and recommended version.
As for updating via the Skype Updater rather than WU/MU, this allows the team to ship updates much more frequently rather than once a month. The team releases bug fixes, performance improvements, and new features, and the Updater gives them the flexibility to do this.
We'll be closing this security case due to the pending release of the new client. Thank you again for your report, and I encourage you to continue reporting security issues to secure@microsoft.com.

OUCH: the statements fail to spend a single word for the vulnerability of the home-grown updater which allows privilege escalation (see Problem № 2), and don’t provide an announcement to publish a security advisory to inform and warn their unsuspecting customers about the multiple vulnerabilities!

Updates

Update № 1

On March 20, 2018, at 16:55:31 UTC, Skype made the vulnerable executable installer SkypeSetupFull.exe for version 7.41.0.101 alias classic skype available to users of Windows 7 and newer versions of Windows NT through their official download link https://go.skype.com/classic.skype alias https://get.skype.com/go/getskype-rec-full!

Microsoft Windows 7 [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

X:\>FileVer.exe /V SkypeSetupFull.exe
--a-- W32i   APP ENU      7.41.0.101 shp 58,834,376 03-20-2018 skypesetupfull.exe
	Language        0x0409 (Englisch (USA))
	CharSet         0x04e4 Windows, Multilingual
	OleSelfRegister Disabled
	CompanyName     Skype Technologies S.A.
	FileDescription Skype
	InternalName    SkypeSetup.exe
	OriginalFilenam SkypeSetup.exe
	ProductName     Skype
	ProductVersion  7.41
	FileVersion     7.41.0.101
	LegalCopyright  (c) Skype Technologies S.A.
…
X:\>

The executable installer is compressed with UPX, which reduced the file size by 6.8%.

Note: the classifications CVE-2016-5720, CWE-377, CWE-379, CWE-426, CWE-427 and CAPEC-471 still apply.

Update № 2

On March 21, 2018, at 12:55:31 UTC, Skype made the outdated, superseded and vulnerable executable installer SkypeSetupFullXp.exe for version 7.36.0.150 available to users of Windows XP through their official download links https://go.skype.com/windows.desktop.download and https://go.skype.com/classic.skype!
Despite its designation for Windows XP, its embedded Application Manifest requests administrative privileges on Windows Vista and newer versions of Windows NT!
Additionally its digital signature has expired!

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

X:\>FileVer.exe /V SkypeSetupFullXp.exe
--a-- W32i   APP ENU      7.36.0.150 shp 57,491,928 03-21-2018 skypesetupfullxp.exe
	Language	0x0409 (Englisch (USA))
	CharSet		0x04e4 Windows, Multilingual
	OleSelfRegister	Disabled
	CompanyName	Skype Technologies S.A.
	FileDescription	Skype
	InternalName	SkypeSetup.exe
	OriginalFilenam	SkypeSetup.exe
	ProductName	Skype
	ProductVersion	7.36
	FileVersion	7.36.0.150
	LegalCopyright	(c) Skype Technologies S.A.
…
X:\>SignTool.exe Verify /V SkypeSetupFullXp.exe

Verifying: SkypeSetupFullXp.exe
SHA1 hash of file: 4C24FC3B469898F6F964705783CB6691AA9FEFA0
SignTool Error: WinVerifyTrust returned error: 0x80096010
	The digital signature of the object did not verify.
Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2011
    Issued by: Microsoft Root Certificate Authority 2011
    Expires:   22.03.2036 23:13:04
    SHA1 hash: 8F43288AD272F3103B6FB1428485EA3014C0BCFE

        Issued to: Microsoft Code Signing PCA 2011
        Issued by: Microsoft Root Certificate Authority 2011
        Expires:   08.07.2026 22:09:09
        SHA1 hash: F252E794FE438E35ACE6E53762C0A234A2C52135

            Issued to: Skype Software Sarl
            Issued by: Microsoft Code Signing PCA 2011
            Expires:   11.12.2017 22:23:42
            SHA1 hash: E4C095A4329DF3F5B07624EDF1E1BE0905E82F48

File is not timestamped.
SignTool Error: File not valid: SkypeSetupFullXp.exe

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

X:\>

The executable installer is compressed with UPX, which reduced the file size by 6.9%.

Note: the classifications CVE-2016-5720, CWE-377, CWE-379, CWE-426, CWE-427 and CAPEC-471 still apply.

Update № 3

On March 23, 2018, the MSRC informed me per mail that the vulnerable executable installers for version 7.x have been removed from the Microsoft Update Catalog.

Note: if this were true, the download link for skypesetupfull(7.3.0.101).exe should not work any more.

Update № 4

On May 17, 2018, the JPCERT/CC published the security advisory JVN#91151862, which lists CVE-2018-0594 and CVE-2018-0595.

Note: Microsoft refuses to fix these vulnerabilities!

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.