Dropbox for Windows has an unfixed Zero-day vulnerability

Reading time icon 1 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Researchers from security company Decoder have revealed a zero-day vulnerability in the Dropbox for Windows app.

The vulnerability is in the DropboxUpdater service for the software and is a local privilege escalation vulnerability which would allow attackers to overwrite files in the System directory. Once compromised the researchers were able to get a command-line shell with SYSTEM privileges.

The team had informed Dropbox of the vulnerability in September but after 90 days the company has yet to fix the issue.

In a statement Dropbox confirmed:

“We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks,” a Dropbox spokesperson says, “this bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.”

The attack also requires a local user, but could easily be used as part of a chain attack. Read more about the attack at BleepingComputer here.

User forum

0 messages