If you’ve ever made a video call, it was probably via Skype. But just because it’s popular doesn’t mean it’s the best. And more importantly, it’s not the most secure, either.
A security researcher has discovered a dangerous exploit in Skype that could grant attackers access to your entire PC. Here’s what you should know about the security risk and the best free programs to replace Skype.
Skype’s Security Flaw
Researcher Stefan Kanthak discovered a flaw in Skype in September 2017 and made it public in February 2018. It’s a relatively simple exploit that works by abusing Skype’s update process. While Skype is owned by Microsoft, the company doesn’t update it through Windows Update.
Instead, Skype occasionally runs its own update checker to see if you’re using the latest version. When there’s an update available, Skype runs an executable file, located in the C:\Windows\Temp directory, as the SYSTEM account. Unlike your own administrator account, Windows uses SYSTEM to run various OS services. It has complete access to everything on your computer. As you can imagine, it would be a problem if someone malicious gained access to this account.
Unfortunately, that’s exactly what this bug entails. Once the Skype updater runs, it calls at least one DLL, the file UXTheme.dll. When a program needs a DLL, it first checks the folders closest to it. Thus, if someone placed a phony DLL file with the same name into C:\Windows\Temp, Skype would use that instead of the legitimate one in the System32 folder.
Once the updater ran the compromised DLL, it would have complete access to your system due to it running with SYSTEM privileges. Because the C:\Windows\Temp directory is accessible to all users, anyone who got into your filesystem could plant the rogue DLL. Next time you updated Skype, you could be hit with ransomware, have your files stolen, or more.
Microsoft is aware of this vulnerability (and has even warned against it in the past), but, unfortunately, it can’t fix it with a simple update. Microsoft’s reply to Kanthak included the following:
[They] have determined that the fix will be implemented in a newer version of the product rather than a security update […] The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client.
How to Stay Safe
Since Microsoft hasn’t rushed a fix for this, you’re safest off by uninstalling Skype from your PC. To check if you have the desktop version of Skype installed, type Skype into the Start Menu of Windows 10. If you see Desktop app under the entry, you have the vulnerable version installed.
Trusted Microsoft Store app means you have the UWP version of Skype, which thankfully is not vulnerable to this exploit. This is because it updates via the Microsoft Store, not the standalone updater. While the app has mixed reviews, it’s a suitable option if you need access to Skype.
If you don’t want to use the UWP version of Skype or don’t have Windows 10, you can use the stripped-down web version of Skype. It’s nothing too fancy, but it still has the functionality you need.
Totally sick of Skype and want to use this flaw as an excuse to jump ship? You can replace it with one of the below options and have nothing to worry about.
The most popular service of its kind after Skype, Hangouts can do pretty much everything Skype lets you do. Search for someone using their email address or phone number, and you can start chatting with them via text, an audio call, or a video chat. You can add groups of ten people, and your Google contacts are automatically added and organized.
Using Hangouts, you can even place calls to mobile or landline phones that aren’t using the service. These are almost always free inside the U.S. and Canada but vary in other countries. If you have lots of friends who aren’t Apple users, this is a great choice for your home messenger.
The only problem with Hangouts is that its official desktop version isn’t fantastic. For a while, the Chrome app Common Hangouts was the best way to use the service, but Google has killed the app — it redirects to the main Hangouts page now.
Thus, you can use the official desktop program, only available as a Chrome app. Or try using an alternative messenger like Franz, which lets you use Hangouts and other services all from one program. YakYak is another good third-party desktop client for Hangouts.
Google also plans to split Hangouts into two separate services, which it’s aiming at business clients. We assume that Hangouts as we know it will remain for home users, but it’s something to watch.
ooVoo is one of our favorite tools for making free group conference calls, and it’s a great way around Skype. If you’re a socialite, you should love the generous 12-person limit ooVoo places on video calls. It features plenty of features for one-on-one messaging, too. The service prides itself on high-quality audio and video during calls, perfect if nothing but the best will do.
— ooVoo (@ooVoo) November 16, 2016
You can record video calls for later viewing, or leave photo or video messages for a bit of fun. Groups can even watch YouTube videos together if everyone is using the PC app. ooVoo offers in-app purchases, but they’re limited to cosmetics like avatars. The base service is always free.
LINE is another messenger that lets you easily keep up with your friends. Aside from the Windows desktop, it’s also available for all major mobile devices. As you’d expect, the service provides free video calls, voice calls, and text messaging for groups. If you’d like to jazz up your chats, you can pick from thousands of animated stickers. Most of these cost money in the LINE store, though.
If you share a lot in your chats, LINE supports some media that even Skype doesn’t. You can leave someone a voice message for later, or even beam your location if needed. LINE also promotes “official accounts” of celebrities, though there’s no guarantee that your favorites are here. Watching an ad enables you to make a short international call for free.
LINE has a good set of features and is worth a try if you’re looking for something a little different from the usual.
Tox is the app to beat if you’re looking for a secure Skype alternative. It’s not headed by a corporation. Rather, it’s an open-source tool made by “people fed up with the existing options that spy on us, track us, censor us, and keep us from innovating.”
You might expect such an app to feature a lousy interface or a confusing setup, but not so with Tox. Grab and install either qTox (the full-featured app) or uTox (meant for lighter systems) and start chatting. Tox is completely free and doesn’t feature any ads. Secure chats, voice calls, and video calls mean that nobody can spy on you. You can even share your screen and trade files with no limits.
What’s more, Tox runs off of its user’s systems, so there are no servers for malicious folk to attack. It might be new to you, but Tox is definitely worth a look if you value privacy and freedom in your apps.
Another classic choice in the messaging arena, Viber is available as a desktop download and a Modern app. You’ll find all the standard features inside, including group chats, video calling, and stickers. If you often switch between devices, you’ll appreciate Viber’s handoff feature that lets you move calls to your mobile.
Like LINE, Viber features public chats that let you connect with popular websites if you don’t have any friends to message at the moment. It also has games built in if you want to battle your buddies. Viber doesn’t stand out for any particular reason, but it’s a solid app nonetheless.
ICQ has been around since 1998, but rest assured that it’s seen an update for the modern era.
It’s a simple messenger app without any fluff. The app encrypts your calls, and you can of course chat in groups. If someone sends a voice message, you can convert it into text if you can’t hear at the moment. Live chats let you talk to people about themes like travel or dating.
We're exactly where we were when everyone was using a variety of services like MSN Messenger, AIM, ICQ, Google Talk except now on mobile.
— Michael Nugent (@michaelnugent) March 17, 2017
You can even message contacts who don’t use ICQ. The service turns your messages into free text messages when you do so. ICQ also supports large file transfers up to 4 GB. If you’ve got some friends on the service, you’ll find something to enjoy here.
Which Is Your Favorite Skype Alternative?
No matter which alternative you use, you should get rid of the desktop version of Skype. There’s no reason to keep the potential security risk around on your system. Once Microsoft releases the revamped version, you’ll be clear to reinstall it. But for now, stick to the Modern or web versions of Skype, or an alternative.
Other options offer a similar feature set to the above, like WeChat. Chances are that one of these six apps will meet your messaging needs if you’re dropping Skype. Of course, a service is only as good as the number of people you know that use it. Thus, even if you love one of these, you’ll have to convince friends to join it too.
If you stick with Skype, check out how to become a more efficient user.
Which messaging services have you installed on your PC? Tell us what makes it your favorite, and suggest the best apps we missed, down in the comments!
Image Credit: De Space Studiovia Shutterstock.com