Karlston Posted December 24, 2019 Share Posted December 24, 2019 Dropbox for Windows has an unfixed Zero-day vulnerability Researchers from security company Decoder have revealed a zero-day vulnerability in the Dropbox for Windows app. The vulnerability is in the DropboxUpdater service for the software and is a local privilege escalation vulnerability which would allow attackers to overwrite files in the System directory. Once compromised the researchers were able to get a command-line shell with SYSTEM privileges. The team had informed Dropbox of the vulnerability in September but after 90 days the company has yet to fix the issue. In a statement Dropbox confirmed: “We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks,” a Dropbox spokesperson says, “this bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.” The attack also requires a local user, but could easily be used as part of a chain attack. Read more about the attack at BleepingComputer here. Source: Dropbox for Windows has an unfixed Zero-day vulnerability (MSPoweruser) Link to comment Share on other sites More sharing options...
Researchers from security company Decoder have revealed a zero-day vulnerability in the Dropbox for Windows app. The vulnerability is in the DropboxUpdater service for the software and is a local privilege escalation vulnerability which would allow attackers to overwrite files in the System directory. Once compromised the researchers were able to get a command-line shell with SYSTEM privileges. The team had informed Dropbox of the vulnerability in September but after 90 days the company has yet to fix the issue. In a statement Dropbox confirmed: “We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks,” a Dropbox spokesperson says, “this bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.” The attack also requires a local user, but could easily be used as part of a chain attack. Read more about the attack at BleepingComputer here.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.