1-Click Vulnerabilities found in Popular Desktop Applications

A number of 1-Click vulnerabilities have been discovered in various popular software applications that can be exploited with a single click. Their exploitation allows an attacker to potentially execute arbitrary code on target systems.

The problems were discovered by security researchers at Positive Security Fabian Bräunlein and Lukas Euler and affect applications such as Telegram, Nextcloud, VLC, LibreOffice, OpenOffice, Bitcoin / Dogecoin, Wireshark and Mumble wallets.

“Desktop applications that pass user-supplied URLs to be opened by the operating system are often vulnerable to code execution while interacting with the user. Code execution can be achieved either by opening a URL that points to a malicious executable file (.desktop, .jar, .exe, etc.) on an Internet-accessible file resource (nfs, webdav, smb, etc.), or when an additional vulnerability in the URI handler of an open application, ”the experts explained.

The vulnerabilities are related to insufficient validation of the entered URL, which, when opened with the underlying operating system, leads to the inadvertent launch of a malicious file.

The experts reported their findings to the developers, and most applications received fixes:

• Nextcloud - issue ( CVE-2021-22879 ) fixed in version 3.1.3;
• Telegram - the problem has been fixed;
• VLC Player - version 3.0.13, which fixes the vulnerability, will be released next week;
• OpenOffice - the problem will be fixed shortly (CVE-2021-30245);
• LibreOffice - Fixed on Windows, but Xubuntu OS is still vulnerable ( CVE-2021-25631 );
• Mumble - fixed in version 1.3.4 ( CVE-2021-27229 );
• Dogecoin - fixed in version 1.14.3;
• Bitcoin ABC - fixed in version 0.22.15;
• Bitcoin Cash - fixed in version 23.0.0;
• Wireshark - fixed in version 3.4.4 (CVE-2021-22191);
• WinSCP - fixed in version 5.17.10 ( CVE-2021-3331 ).