A recently discovered serious vulnerability in Skype that could give an attacker system-level privileges won’t be patched anytime soon.

That’s because Microsoft Corp. has indicated that the fix requires a “large code revision.”

The vulnerability, discovered by security researcher Stefan Kanthak, allows a hacker to modify the Skype updater to draw on a malicious DLL library instead of the genuine one provided by Microsoft, giving the attacker access to a victim’s PC. Although the attack vector has been demonstrated using the Windows version of Skype, Kanthak said he believes that the same DLL hijacking method could also be applied to Skype versions for macOS and Linux as well.

Kanthak told ZDNet Monday that Microsoft was informed of the bug back in September. But it said the fix would require the Skype updater go through “a large code revision.” Instead, it decided to put “all resources” into building an altogether new Skype client that would overcome the vulnerability.

This isn’t the first time Skype has been found to be lacking in security. A critical flaw in the messaging service that could allow hackers to crash systems and execute code in them was revealed in June before Microsoft released a patch to fix the issue. Skype was also among numerous messaging applications that were exposed to hackers with the revelation  last month of a critical vulnerability with Electron, a common open-source framework used in applications.

It’s not clear what Microsoft’s time frame is for releasing a new version of Skype that tackles the issue. Since the vulnerability is not believed to have been exploited in the wild yet, there have been no warnings issued so far for Skype users to stop using the software. But now that the details of the vulnerability have been released, it may be only a question of when, not if.

Photo: Maxpixel