Microsoft Windows, Skype Integration Poses Security Challenges

The extent to which Microsoft will integrate Skype into its existing products remains unclear and will give security vendors some headaches after the acquisition.

If Microsoft’s $8.5 billion deal for Skype goes through, the VOIP (voice-over-IP) provider will become a business division within Microsoft headed by Skype CEO Tony Bates. Skype’s services will be meshed with a variety of products in Microsoft’s portfolio, including its Lync unified-communications platform, Outlook and Xbox Live.

The level of “meshing” is what security vendors should be alert for, Matt McKinley, U.S. director of product management for security vendor Stonesoft, told eWEEK. His gut feeling is that it will be a big part of the mobile platform, especially considering the general perception that Microsoft is falling behind in that space against Apple and the iPhone. Skype services will also be part of Windows Phone, Ballmer said at a May 10 press conference.

Regardless of whether Skype is integrated at the “lowest level” with Microsoft products, such as in the same way that Internet Explorer is part of the Windows operating system, Microsoft must make sure that Skype is protected, McKinley said. There’s “not a lot of documentation” available that reliably states how well antivirus software protect Skype communications, and considering the increase in mobile security threats, this is a big area of concern, according to McKinley.

Skype will likely be a big part of Microsoft’s mobile strategy down the road, especially in light of the recent deal with Nokia. Microsoft and security vendors need to address mobile security aggressively.

Skype will come under “greater scrutiny” from cyber-attackers after it becomes part of the Windows ecosystem, Paul Ducklin, head of security at Sophos, predicted on the Naked Security blog.

McKinley pointed out that Skype has had its own share of security problems in the past, with security holes in the software and the recent issue with the Android app not securing user data properly. Even so, McKinley agreed that the announcement “definitely raised the eyebrows of the hacking community.” It may turn the hacking community to concentrate more on Skype, but it’s hard to say how or with what, according to McKinley.

{mospagebreak title=Keep a Close Watch on Microsoft Alterations to Skype}

The level of integration will also determine how future security fixes for Skype will be released. McKinley couldn’t find a “satisfactory answer” as to whether Microsoft will include Skype into its Patch Tuesday updates, but it will likely depend on where Skype ends up. If, as expected, Skype gets rolled into the mobile platform or continues to be a stand-alone product, it will maintain its own patching schedule.

That would actually be better from a security standpoint, since otherwise Skype may get lost amongst all the other Microsoft products. If there’s a significant integration with the Windows platform, then it will be part of Patch Tuesday, which will definitely make things easier for network administrators to keep up-to-date.

For the first few months or so, Microsoft and Skype will keep operating separately for awhile, McKinley said. But there’s “no doubt” that Microsoft will start changing things in the software, and the company will need to be proactive about communicating those changes promptly to the security company, he said. Next-generation firewalls, like the one from Stonesoft, develop signatures to identify Skype traffic from all other network traffic, according to McKinley. Security vendors will need to be diligent and be prepared to promptly update signatures when Microsoft starts tinkering with the code.

If the organization has a firewall policy in place to prevent outbound Skype traffic, it will be a problem if a change Microsoft makes to the code affects the traffic enough that the firewall no longer recognizes the packets as belonging to Skype, according to McKinley. The reverse is also true; if the organization relies on Skype and the changes result in the firewall blocking the unknown traffic.

Whenever Microsoft rolls out new features or modifies its existing products, it becomes a “catch-up race” for vendors and partners to make the necessary adjustments to their own products, according to McKinley. “The same thing, I am certain, will happen with Skype,” McKinley said.

From a developer standpoint, any integration and changes to the core Skype code will affect existing programs from third-party developers. Developers will have to keep up with changes to ensure new vulnerabilities aren’t exposed in their applications.

McKinley expects to see changes coming down the pipeline six to 12 months down the road. While the timing sounds a little aggressive, he said it’s possibly better to be on the lookout than to be caught unprepared.

McKinley admitted to being surprised by the deal. “I knew that Microsoft was going to do something surprising, but I didn’t see this one coming,” he said.

Sophos’ Ducklin speculated that Microsoft may implement Windows Live ID into Skype instead of maintaining the separate login system. McKinley had no idea whether the integration would be overly complicated, but said that would be a “very logical” thing to do, and may actually improve the service.