Multiple One-Click Bugs in Popular Applications
Security researchers reported the abundance of one-click vulnerabilities in multiple popular software apps, allowing threat actors to perform arbitrary code execution attacks. Discovered by Positive Security researchers, the flaws affect a number of widely adopted apps, including Telegram, VLC, LibreOffice, OpenOffice, Nextcloud, Wireshark, Mumble, and Bitcoin and Dogecoin wallets.
“Desktop applications which pass user supplied URLs to be opened by the operating system are frequently vulnerable to code execution with user interaction,” the researchers pointed out. Code execution occurs either when a URL linking to a malicious executable on an internet accessible file share is opened, or when another vulnerability in the opened app’s URI (Uniform Resource Identifier) handler is exploited.
“Vulnerabilities following this pattern have already been found in other software, with more expected to be revealed going forward,” the report added.
What does that all mean?
In layman’s terms, the vulnerabilities are triggered by insufficient URL input validation that can cause arbitrary code execution, when opened with the help of the operating system.
Unfortunately, the number of applications failing to validate the URLs is quite impressive, creating a possibility for attackers to carry out remote code execution attacks.
Here’s a list of the apps and their underlying vulnerabilities. Fortunately, most of them already have patches:
- Vulnerability in Telegram, which was reported on January 11, and patched quickly after;
- CVE-2021-22879 in Nextcloud, patched in version 3.1.3 of Desktop Client;
- Vulnerability in VLC Player, to be patched in version 3.0.13, to be released next week;
- Dogecoin bug fixed in version 1.14.3;
- Bitcoin ABV bug, addressed in version 0.22.15;
- Bitcoin Cash bug, addressed in version 23.0.0;
- CVE-2021-30245 in OpenOffice (fix to be available soon);
- CVE-2021-25631 in LibreOffice, fixed in Windows, not in Xubuntu;
- CVE-2021-27229 in Mumble, patched in version 1.3.4;
- And CVE-2021-3331 in WinSCP, patched in version 5.17.10.
As for VLC, the patched version 3.0.13 had to be released prior to April 9th; however, its release has been postponed. The patch should be available next week.
“The issues were easy to find and we had a high success rate when checking applications for this vulnerability. Therefore, we expect more vulnerabilities of this type to be discovered when looking at other applications or UI frameworks,” the report concluded.
Another dangerous vulnerability in Telegram was fixed in January
In February, security researcher Dhiraj Mishra discovered that Telegram contained a privacy vulnerability in its macOS app.
The bug resided in version 7.3 of Telegram for macOS. Fortunately, the issue was quickly patched in version 7.4, which was released at the end of January. The researcher discovered that if a user opens Telegram on macOs to send a recorded audio or video message in a normal chat, the app would leak the sandbox path where the recorded message is stored in a “.mp4” file. If the user performs the same action in a normal chat, the message would be stored on the same path.