Security researchers “Decoder” and Chris Danieli have discovered a vulnerability in the Windows client software for the popular cloud storage service Dropbox that would allow an attacker to use an unprivileged user account to gain SYSTEM permissions–the highest level of permission possible on a local Windows system. The unpatched flaw affects standard Dropbox installations and relates to the updater that runs as a service, which is responsible for keeping the application up-to-date. For an attacker to exploit this vulnerability, they must first have compromised a user’s account. Attackers usually gain access to a user account through a phishing campaign to get an employee to open a malicious file. The researchers provided Dropbox with proof of concept (POC) code to exploit the vulnerability on September 18th and gave them a 90-day window before they made the flaw public. The researchers have not shared the POC code publicly, to avoid giving tools to attackers. Dropbox initially responded that the problem is known, and a fix would be available before the end of October. As of December 23rd, Dropbox has not yet released a patch to fix the vulnerability.
Analyst Notes
Until Dropbox provides a security update, the only currently available patch is provided by a company called “oPatch,” a platform that delivers micro patches for known issues before a permanent, official fix becomes available. Because attackers have to compromise a user account to exploit this flaw, organizations are also recommended to implement multiple layers of defense, including email threat scanning, user education about phishing, centralized logging, and an Endpoint Detection and Response (EDR) solution that detects attacker behaviors such as low-privileged user accounts gaining SYSTEM permissions and running commands that are unusual for that account.
Source Article: https://www.bleepingcomputer.com/news/security/dropbox-zero-day-vulnerability-gets-temporary-fix/