Dropbox for Windows has an unfixed Zero-day vulnerability

Home » Microsoft

Reading time icon 1 min. read

Calendar icon Published on

by Surur Davids 

published on

Share this article

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Researchers from security company Decoder have revealed a zero-day vulnerability in the Dropbox for Windows app.

The vulnerability is in the DropboxUpdater service for the software and is a local privilege escalation vulnerability which would allow attackers to overwrite files in the System directory. Once compromised the researchers were able to get a command-line shell with SYSTEM privileges.

The team had informed Dropbox of the vulnerability in September but after 90 days the company has yet to fix the issue.

In a statement Dropbox confirmed:

“We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks,” a Dropbox spokesperson says, “this bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.”

The attack also requires a local user, but could easily be used as part of a chain attack. Read more about the attack at BleepingComputer here.

More about the topics: dropbox, security

Surur Davids

Surur Davids Shield

Smartphone Expert

Surur Davids is the founder of WMPoweruser which later became MSPoweruser.com. He's a smartphone expert with over a decade of experience.

Leave a Reply

Your email address will not be published. Required fields are marked *