Dropbox Zero-Day Vulnerability

In mid-September a vulnerability was unearthed within the DropboxUpdater service by security researchers Decoder and Chris Danieli. The vulnerability allowed a standard local user to gain elevated permissions and then overwrite/delete any files that they want.

 

This is a security issue as it prevents the use of levels of access as a deterrent, as once an attacker gains access to any local account on the computer, they would be able to access the UpdateService logs and then exploit the program into giving them SYSTEM level administrator privileges. In addition to allowing them to access a SYSTEM level command-line interface, giving an unauthorised user full access to the system or network.

 

This vulnerability is a Zero-Day vulnerability and therefore means that once discovered the company is notified but the public are not. However, if the company fixes the issue before the deadline then it becomes public knowledge.

 

While if they do not manage to fix the issue then it again becomes public knowledge however it could be seen as a negative point for the company due to the company not having a fix ready.

 

The vulnerability is only an issue for Windows devices and therefore doesn’t affect every device that Dropbox is installed onto. Although Windows users account for over 66% of all Dropbox users, making this a more serious issue for Dropbox.

 

Dropbox has commented on this issue and stated that they were made aware of the issue via their Bug Bounty programme on September 18th. However, they are yet to find a solution to the vulnerability but have promised that a fix will be available in the coming weeks.

 

Finally, if you are worried that this could happen to you, then the most important part to note would be that an unauthorised individual would need to access your local machine and then access one of the accounts on that computer itself, making personal computers difficult to exploit.

 

In addition to this a company called oPatch has released a micro-patch which can temporarily disable the Dropbox logging feature which enables this vulnerability to be exploited, until the final fix is released.