Detecting zero-day vulnerability in the Dropbox 10 Windows app, users pay attention!
A group of freelance security researchers recently announced a zero-day vulnerability in the Windows-based Dropbox app, which could allow an attacker to gain extremely simple SYSTEM privileges.
Specifically, two free security researchers, nicknamed Chris Danieli and Decoder, discovered the vulnerability for the first time in early September and informed Dropbox of the vulnerability on September 18. At that time, Dropbox pledged to take remedies within 90 days. However, more than 3 months have passed, Dropbox has not been able to release a security patch for this vulnerability, so Chris Danieli and Decoder decided to issue a public notice to warn users.
The flaw exists in the Windows Dropbox application and is an arbitrary file overwriting problem, which can give an attacker access to local user escalation to execute remote code as SYSTEM. According to the researchers, the problem most likely originated in the DropboxUpdater service.
DropboxUpdater is installed as part of the Dropbox client software, and the team says it runs as SYSTEM in standard installations as well as "one of the dropboxupdate tasks is run hourly by the task scheduler. (task scheduler) ". Once activated, the system will record a log file and send to the location of the SYSTEM account - this is the point that allows hackers to 'take action'. Indeed, the researchers successfully overwrote the files controlled by the SYSTEM account and took hold of the shell, the command-line interface with those SYSTEM privileges.
Fortunately, it is not easy for hackers to exploit this vulnerability. First and foremost, an attacker must possess local user access to the target computer, which means that the hacker 's accessibility has been significantly reduced. But not so that you are allowed to be subjective. The Dropbox application needs to be installed in a standard way, complete with administrator privileges, but since most people leave it as default, the risk remains.
As reported by Bleeping Computer experts, a "micro-patch" currently available on oPatch can temporarily fix this problem (by cutting the logging code from DropboxUpdater) until the 'genuine' fix. 'from Dropbox is launched.
As for Dropbox, a company spokesman said: 'We have learned about this issue through the bug bounty program and will offer a fix in the coming weeks. This vulnerability can only be exploited for limited use and we have not received any reports of it affecting our users. '
You should read it
- Dropbox for iOS has supported uploading files from any application
- Instructions to recover deleted Dropbox files on Windows and Mac computers
- Effective support services for Dropbox
- 5 useful features of Dropbox on iOS and Android
- Dropbox tips and tricks
- Instructions to save screenshots directly to Dropbox
- Drobox's new utility makes it easy to edit files on the web
- How to synchronize specific folders and share folders in Dropbox
May be interested
- Dropbox application for Windows 8 and Windows RT releasedintroduced by microsoft in october at the developer conference, dropbox for windows 8 application has recently been officially available on windows store and allows users to download and use it.
- Detecting a new Linux vulnerability allows hackers to gain control of the VPN connectioninternational security researchers have found an entirely new linux vulnerability that allows potential attackers to hijack vpn connections on the device * nix and 'inject' the arbitrary data payload into it. tcp4 and ipv6 streams.
- How to work group on Dropboxrecently, dropbox has officially provided users with group work features. this means that users can link multiple accounts together into one group to manage and share files or folders created and uploaded by team members. this feature will be very useful for teams that are doing the same project or a graduation thesis or thesis. so why hesitate any longer, please join tipsmake.com to learn about how to use this useful feature offline.
- Set password for Dropbox application on phone in 3 stepsin the previous article, tipsmake.com instructed you to register dropbox account to be able to upload data to the cloud. today, we'll share with you how to protect those important data by setting a password for the dropbox app on your phone. please consult.
- New zero-day vulnerability warning in Windows Search, Windows protocol nightmare getting worsea new windows search vulnerability can be exploited to automatically open a search window containing remotely hosted malicious executable files just by launching a word document.
- Effective support services for Dropboxdropbox is a popular hosting service today, but there are some essential features not provided on the service. so, you can use the 3 services in the article to add some features to dropbox.
- Detecting a Google Drive vulnerability could allow hackers to trick users into installing malwarean unresolved security weakness in google drive can be exploited by software attackers to distribute malicious files.
- Dropbox tips and tricksnot only has the ability to store data, dropbox also has many other features that you do not know. refer to dropbox tips in the article below to be able to effectively use this hosting service.
- Detecting a vulnerability that makes 3,000 companies using Microsoft Azure vulnerable to hackers reading data over the past 2 yearsusing microsoft azure can help companies better secure their data. however, a newly discovered vulnerability shows the opposite result.
- Use multiple Dropbox accounts on the same computerdropbox is an excellent cloud storage and file synchronization service, but this is also one of the most expensive options when you have used up free memory. and you can only use multiple accounts on one computer if you use the business package. however there are several ways to use multiple dropbox accounts on the same computer.