Dropbox for Windows has an unfixed Zero-day vulnerability


Researchers from security company Decoder have revealed a zero-day vulnerability in the Dropbox for Windows app.

The vulnerability is in the DropboxUpdater service for the software and is a local privilege escalation vulnerability which would allow attackers to overwrite files in the System directory. Once compromised the researchers were able to get a command-line shell with SYSTEM privileges.

The team had informed Dropbox of the vulnerability in September but after 90 days the company has yet to fix the issue.

In a statement Dropbox confirmed:

“We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks,” a Dropbox spokesperson says, “this bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.”

The attack also requires a local user, but could easily be used as part of a chain attack. Read more about the attack at BleepingComputer here.

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

User forum

0 messages