Microsoft Windows, Skype Integration Poses Security Challenges - Page 2

The level of integration will also determine how future security fixes for Skype will be released. McKinley couldn't find a "satisfactory answer" as to whether Microsoft will include Skype into its Patch Tuesday updates, but it will likely depend on where Skype ends up. If, as expected, Skype gets rolled into the mobile platform or continues to be a stand-alone product, it will maintain its own patching schedule.

That would actually be better from a security standpoint, since otherwise Skype may get lost amongst all the other Microsoft products. If there's a significant integration with the Windows platform, then it will be part of Patch Tuesday, which will definitely make things easier for network administrators to keep up-to-date.

For the first few months or so, Microsoft and Skype will keep operating separately for awhile, McKinley said. But there's "no doubt" that Microsoft will start changing things in the software, and the company will need to be proactive about communicating those changes promptly to the security company, he said. Next-generation firewalls, like the one from Stonesoft, develop signatures to identify Skype traffic from all other network traffic, according to McKinley. Security vendors will need to be diligent and be prepared to promptly update signatures when Microsoft starts tinkering with the code.

If the organization has a firewall policy in place to prevent outbound Skype traffic, it will be a problem if a change Microsoft makes to the code affects the traffic enough that the firewall no longer recognizes the packets as belonging to Skype, according to McKinley. The reverse is also true; if the organization relies on Skype and the changes result in the firewall blocking the unknown traffic.

Whenever Microsoft rolls out new features or modifies its existing products, it becomes a "catch-up race" for vendors and partners to make the necessary adjustments to their own products, according to McKinley. "The same thing, I am certain, will happen with Skype," McKinley said.

From a developer standpoint, any integration and changes to the core Skype code will affect existing programs from third-party developers. Developers will have to keep up with changes to ensure new vulnerabilities aren't exposed in their applications.

McKinley expects to see changes coming down the pipeline six to 12 months down the road. While the timing sounds a little aggressive, he said it's possibly better to be on the lookout than to be caught unprepared.

McKinley admitted to being surprised by the deal. "I knew that Microsoft was going to do something surprising, but I didn't see this one coming," he said.

Sophos' Ducklin speculated that Microsoft may implement Windows Live ID into Skype instead of maintaining the separate login system. McKinley had no idea whether the integration would be overly complicated, but said that would be a "very logical" thing to do, and may actually improve the service.