[UPDATE 15.02.2018 – 10:48 CET] Microsoft has commented on reports about a severe security flaw in Skype. The company says, that there indeed was such a problem with the Skype Installer but clarifies that the newest Skype Version 8 is not affected anymore and therefore fully secure.


Microsoft today squashed a bug that was found in Skype’s updater process earlier this week. However, it seems the company’s method for stopping the flaw is to kill off the Skype classic experience. If that is the case, users of Skype on Windows 7 and Windows 8.1 could lose access to the service.

As reported on Monday, a security vulnerability could give hackers access to system-level privileges. If properly exploited, attackers could use Skype as a backdoor to get full system rights and enter all areas of an operating system.

Advertisement

In response, Microsoft said it was unable to fix the bug immediately because it would require a lot of work. Indeed, the company said patch the flaw would take a massive code rewrite. In other words, Microsoft would need to overhaul the whole underpinning of the classic Skype program.

It seems Microsoft found an alternative to rewriting code and fixing Skype… the company has decided to effectively kill off the classic app. The older version of Skype is no longer available anywhere as a download.

Microsoft has removed the download page (see above) from its website, and direct links to the installer have been removed. Of course, there are plenty of third-party websites that offer downloads for Skype, correct? Yes, but interestingly, these portal installers are also dead, meaning they don’t open to the Skype download anymore.

Also, the most recent Windows 10 Insider Build 17093 does not allow to install Skype classic anymore via the full installer.

Trying to avoid hyperbole, there are two possible explanations. Firstly, Microsoft may have pulled the downloader while it works on a fix, not wanting more people to download Skype with the flaw. The second possibility (and it looks a real one) is that Microsoft has killed the older Skype experience.

Just to be clear, we are not talking about the Skype application that you can download from the Microsoft Store for Windows 10. That app is alive and well, so if you are running Windows 10 you have nothing to worry about.

However, if you’re a long time Skype user on Windows 7 or Windows 8.1, you may be a bit more flustered, especially if you don’t have the app installed. Users on those legacy platforms who already have the app are fine and can continue using Skype. Well, they can continue using a Skype version with a nasty vulnerability baked in.

The bug in question was found by Stefan Kanthak, who discovered the update installer could be attacked through a DLL hijacking technique. This allowed attackers to exploit applications into creating malicious code. An infested DLL could be installed in a temporary folder disguised as an existing DLL. While the attack is hardly elegant, it worked and could be easily exploited.

Moving Forward Without Skype?

Windows 7 and Windows 8.1 users without Skype installed have a problem. For those platforms, the Skype Windows Store app will not function. This means there is no way to get Skype as a download experience on their machines. There is an alternative through Skype for Web, which is available for all platforms, but it is not as feature-rich as the full desktop application.

Microsoft is now faced with two options. The company can put classic Skype out to pasture and turn to the Windows 10 app, essentially ignoring Windows 7 and Windows 8.1 users. Alternatively, the old experience can be re-coded or even rebuilt from scratch to be reintroduced onto the older platforms.

We have reached out to Microsoft for a comment and will update this story once we know more.

Advertisement