Jump to content

Dropbox for Windows has an unfixed Zero-day vulnerability


Karlston

Recommended Posts

Dropbox for Windows has an unfixed Zero-day vulnerability

Researchers from security company Decoder have revealed a zero-day vulnerability in the Dropbox for Windows app.

 

The vulnerability is in the DropboxUpdater service for the software and is a local privilege escalation vulnerability which would allow attackers to overwrite files in the System directory. Once compromised the researchers were able to get a command-line shell with SYSTEM privileges.

 

The team had informed Dropbox of the vulnerability in September but after 90 days the company has yet to fix the issue.

 

In a statement Dropbox confirmed:

 

“We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks,” a Dropbox spokesperson says, “this bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.”

 

The attack also requires a local user, but could easily be used as part of a chain attack. Read more about the attack at BleepingComputer here.

 

 

Source: Dropbox for Windows has an unfixed Zero-day vulnerability  (MSPoweruser)

Link to comment
Share on other sites


  • Views 352
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...