“One-click” vulnerabilities that allow cybercriminals to remotely execute arbitrary code, have been identified in popular applications, warn researchers Fabian Bräunlein and Lukas Euler, of the German information security firm, Positive Security.
The researchers found the vulnerabilities in the applications: Telegram, Nextcloud, VLC, LibreOffice, OpenOffice, Bitcoin wallets and Dogecoin, Wireshark and Mumble. So, attention! If you use these applications update them immediately.
According to them, these applications pass URLs provided by the user to be opened by the operating system. This function normally could mean a code execution vulnerability:
“Desktop applications that pass user-provided URLs to be opened by the operating system are often vulnerable to code execution with user interaction… Code execution can happen when a URL of a malicious executable (.desktop, .jar, .exe and others) is open“, write the researchers in a report published on Thursday (15).
Bräunlein and Euler identified that these popular applications were unable to validate the URLs. That is, a cybercriminal can create a malicious link, that when executed by the user, allows the execution of arbitrary code on the victim’s machine, remotely.
As a standard procedure, the researchers contacted the developers, explaining the problem. But, although the vulnerabilities were discovered earlier this year (and informed to companies on the same date), some developers have not yet fixed the problems and applications: Bitcoin Desktop Client; Bitcoin Gold Desktop Client; LibreOffice; OpenOffice and VLC, remain vulnerable in certain situations, at least until today (15/04).
“It’s easy for anyone’s developers [aplicativo] shift the blame and avoid taking on the burden of implementing mitigation measures … It is crucial that each party involved take some responsibility and add their contribution in the form of mitigation measures “, they write.
According to them, Bitcoin applications are not interested in solving the problems. LibreOffice remains vulnerable for Xubuntu users (Linux distribution based on Ubuntu systems), since the developers consider the responsibility to be Xubuntu and not theirs. And VLC, has a patch scheduled for next week.
Applications such as LibreOffice (installed natively on most Linux-based systems), OpenOffice and VLC are open source solutions widely used by users and companies worldwide. VLC, for example, has almost 1 billion downloads, including those from the official source (the developer’s website) and those downloaded through SourceForge.
Sources: Positive Security; SourceForge; VideoLAN, TheHack.