To make the issue even worse, Microsoft knows the flaw is there and exploitable, but has no plans for an immediate fix because it would require too much work.
According to security website CAPEC, attackers can use the method to exploit the "functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories". The exploit would allow the hacker to download the malicious DLL and place it into a user-accessible temporary folder, renaming it to an existing DLL that could be modified by a user lacking privileges.
It must be noted that the security flaw is only limited to the full Skype program on the desktop, meaning users of the Universal Windows Platform (UWP) application will face no issues. He says the Skype updater is susceptible to DLL hijacking.
Kanthak told ZDNet Monday that Microsoft was informed of the bug back in September. From what The Inquirer has been able to find out, Microsoft will not be releasing a patch for vulnerable versions but will instead release a new version at some point, without the vulnerability baked in.
Drake takes 63-year-old hotel maid on $10000 shopping spree
Brown joined them and helped treat Paret to a no-limit shopping spree. So I said, 'Drake!' " Paret told the Miami Tribune this week.
Update 2: This story originally stated that an attacker needs physical access to a PC to take advantage of this flaw.
"The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated", he added.
The reason quoted is, "the installer would need a large code revision to prevent DLL injection".
With no further action made by Microsoft since, Kanthak published the report on Friday as a warning to Skype users.