In the Skype update, a security vulnerability is found, and an attacker can get system level privileges from an vulnerable computer.
But this is not the worst, and even worse, Microsoft says it won't fix the flaw immediately, because it needs to do too much work. Microsoft chose to put all the resources into a new client.
The report describes the security loophole:
Stefan Kanthak, a security researcher, finds that Skype update installer can be exploited by DLL hijacking technology, which allows attackers to induce applications to draw malicious code. Attackers can download malicious DLL to user accessible temporary folders, and rename them to existing DLL that can be modified by non privileged users (such as UXTheme.dll).
The principle of this error is that when the application searches for the DLL it needs, it will first find a malicious DLL. Once installed, Skype is updated using its own built-in update program. When the update is run, it uses another executable file to run the update, which is easily hijacked.