1-Click Vulnerabilities Found in Popular Desktop Applications

A number of 1-Click vulnerabilities have been found in various popular Desktop application. They can be exploited with a single click and allow attackers to potentially execute malicious code on target systems.

Security researchers from Positive Security found flaws in applications such as Telegram, Nextcloud, VLC, LibreOffice, OpenOffice, Bitcoin / Dogecoin, Wireshark, and Mumble wallets.

“Desktop applications that pass user-supplied URLs to be opened by the operating system are often vulnerable to code execution while interacting with the user. Code execution can be achieved either by opening a URL that points to a malicious executable file (.desktop, .jar, .exe, etc.) on an Internet-accessible file resource (nfs, webdav, smb, etc.), or when an additional vulnerability in the URI handler of an open application, ”the experts explained.

Vulnerabilities arise from insufficient validation of URLs, which, when executed by the underlying operating system, can lead to the unauthorized transmission of malicious files.

The experts reported their findings to the software developers, and most applications received updates:

  • Nextcloud - issue ( CVE-2021-22879 ) fixed in version 3.1.3;

  • Telegram - the problem has been fixed;

  • VLC Player - version 3.0.13, which fixes the vulnerability, will be released next week;

  • OpenOffice - the problem will be fixed shortly (CVE-2021-30245);

  • LibreOffice - Fixed on Windows, but Xubuntu OS is still vulnerable ( CVE-2021-25631 );

  • Mumble - fixed in version 1.3.4 ( CVE-2021-27229 );

  • Dogecoin - fixed in version 1.14.3;

  • Bitcoin ABC - fixed in version 0.22.15;

  • Bitcoin Cash - fixed in version 23.0.0;

  • Wireshark - fixed in version 3.4.4 (CVE-2021-22191);

  • WinSCP - fixed in version 5.17.10 ( CVE-2021-3331 ).

Previous Post Next Post