Kanthak told Microsoft about the vulnerability -- which could let hackers steal files, delete data or run ransomware -- back in September, and the company acknowledged a fix would require "a large code revision". Speaking to ZDNet, Kanthak said that even though Microsoft was able to reproduce the issue, a fix will only arrive "in a newer version of the product rather than a security update", the implication being that patching the issue would require too much work. Microsoft said it's put "all resources" into building a new client, but has not revealed when that's likely to land. We've reached out to Microsoft for comment.

Update: A Microsoft spokesperson gave us the following statement. "We have a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our Update Tuesday schedule.​"

Update 2: This story originally stated that an attacker needs physical access to a PC to take advantage of this flaw. This has been corrected to state the attacker simply needs access to the file system. Wording has also been updated to clarify that Skype is the app being tricked into loading malicious code.