A nasty Skype bug could allow a malicious attacker to gain “system” level access, if exploited. The bug is applicable on both macOS and Windows desktop platforms.
However, Microsoft says that fixing the bug will take “too much work”, stating that it would require a full rewrite of the application to fix the bug, ZDNet reports.
But Microsoft, which owns the voice- and video-calling service, said it won’t immediately fix the flaw, because the bug would require too much work.
Security researcher Stefan Kanthak says that the Skype updater can be maliciously modified to trick an application into drawing the wrong DLL library on Windows by creating and renaming a DLL to one Skype would access, then replace it with the original file.
Even though DLL’s don’t exist on macOS, Kanthak says that it’s still possible on macOS or Linux. Once system access is granted, it “can do anything” he says.
Microsoft says instead of issuing a security update, Skype will undergo a major revision later in which the bug will get fixed. This was after the company told Kanthak that its engineers were able to reproduce the bug.
Skype for macOS recently underwent a major interface update back in October. We’re unsure when the next major update of Skype will arrive, but you’ll probably want to be more careful when running Skype until then.