Security researchers “Decoder” and Chris Danieli have discovered a vulnerability in the Windows client software for the popular cloud storage service Dropbox that would allow an attacker to use an unprivileged user account to gain SYSTEM permissions–the highest level of permission possible on a local Windows system. The unpatched flaw affects standard Dropbox installations and relates to the updater that runs as a service, which is responsible for keeping the application up-to-date. For an attacker to exploit this vulnerability, they must first have compromised a user’s account. Attackers usually gain access to a user account through a phishing campaign to get an employee to open a malicious file. The researchers provided Dropbox with proof of concept (POC) code to exploit the vulnerability on September 18^th and gave them a 90-day window before they made the flaw public.  The researchers have not shared the POC code publicly, to avoid giving tools to attackers. Dropbox initially responded that the problem is known, and a fix would be available before the end of October.  As of December 23^rd, Dropbox has not yet released a patch to fix the vulnerability.