You can now find Cyber Kendra on Google News | Telegram

1-Click Vulnerabilities found in Popular Desktop Applications

Exploiting issues allows an attacker to potentially execute arbitrary code on target systems.

A number of 1-Click vulnerabilities have been discovered in various popular software applications that can be exploited with a single click. Their exploitation allows an attacker to potentially execute arbitrary code on target systems.

The problems were discovered by security researchers at Positive Security Fabian Bräunlein and Lukas Euler and affect applications such as Telegram, Nextcloud, VLC, LibreOffice, OpenOffice, Bitcoin / Dogecoin, Wireshark and Mumble wallets.

“Desktop applications that pass user-supplied URLs to be opened by the operating system are often vulnerable to code execution while interacting with the user. Code execution can be achieved either by opening a URL that points to a malicious executable file (.desktop, .jar, .exe, etc.) on an Internet-accessible file resource (nfs, webdav, smb, etc.), or when an additional vulnerability in the URI handler of an open application, ”the experts explained.

The vulnerabilities are related to insufficient validation of the entered URL, which, when opened with the underlying operating system, leads to the inadvertent launch of a malicious file.

The experts reported their findings to the developers, and most applications received fixes:

  • Nextcloud - issue ( CVE-2021-22879 ) fixed in version 3.1.3;
  • Telegram - the problem has been fixed;
  • VLC Player - version 3.0.13, which fixes the vulnerability, will be released next week;
  • OpenOffice - the problem will be fixed shortly (CVE-2021-30245);
  • LibreOffice - Fixed on Windows, but Xubuntu OS is still vulnerable ( CVE-2021-25631 );
  • Mumble - fixed in version 1.3.4 ( CVE-2021-27229 );
  • Dogecoin - fixed in version 1.14.3;
  • Bitcoin ABC - fixed in version 0.22.15;
  • Bitcoin Cash - fixed in version 23.0.0;
  • Wireshark - fixed in version 3.4.4 (CVE-2021-22191);
  • WinSCP - fixed in version 5.17.10 ( CVE-2021-3331 ).

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.