1-Click Hack Found in Popular Desktop Apps — Check If You’re Using Them

Various one-simply click vulnerabilities have been found out throughout a wide range of preferred program programs, allowing an attacker to probably execute arbitrary code on goal programs.

The challenges were being found by Positive Protection scientists Fabian Bräunlein and Lukas Euler and impact apps like Telegram, Nextcloud, VLC, LibreOffice, OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark, and Mumble.

“Desktop apps which pass consumer equipped URLs to be opened by the operating procedure are usually vulnerable to code execution with person conversation,” the researchers reported. “Code execution can be accomplished either when a URL pointing to a destructive executable (.desktop, .jar, .exe, …) hosted on an web accessible file share (nfs, webdav, smb, …) is opened, or an added vulnerability in the opened application’s URI handler is exploited.”

password auditor

Place differently the flaws stem from an inadequate validation of URL enter that, when opened with the enable of the fundamental functioning procedure, potential customers to inadvertent execution of a malicious file.

Beneficial Security’s analysis located that several apps failed to validate the URLs, thereby allowing an adversary to craft a specially-crafted connection pointing to a piece of attack code, ensuing in remote code execution.


Subsequent liable disclosure, most of the applications have launched patches to remediate the flaws –

  • Nextcloud – Mounted in variation 3.1.3 of Desktop Consumer released on February 24 (CVE-2021-22879)
  • Telegram – Concern documented on January 11 and subsequently preset through a server-side transform on (or somewhat before) February 10
  • VLC Participant – Challenge claimed on January 18, with patched model 3..13 set for release upcoming 7 days
  • OpenOffice – Mounted in the impending 4.1.10 launch (CVE-2021-30245)
  • LibreOffice – Tackled in Windows, but susceptible in Xubuntu (CVE-2021-25631)
  • Mumble – Fastened in edition 1.3.4 introduced on February 10 (CVE-2021-27229)
  • Dogecoin – Mounted in variation 1.14.3 released on February 28
  • Bitcoin ABC – Set in version .22.15 released on March 9
  • Bitcoin Hard cash – Fastened in version 23.. (presently in launch system)
  • Wireshark – Mounted in version 3.4.4 introduced on March 10 (CVE-2021-22191)
  • WinSCP – Set in variation 5.17.10 released on January 26 (CVE-2021-3331)
password auditor

“This situation spans multiple levels in the targeted system’s software stack, for that reason making it easy for the maintainers of any just one to change the blame and prevent taking on the load of employing mitigation steps on their stop,” the scientists reported.

“Even so, owing to the variety of shopper devices and their configuration states, it is critical that just about every get together included requires on some volume of duty and adds their contribution in the type of mitigation actions” this sort of as URL validation and avoiding remote shares from remaining car-mounted.

Fibo Quantum