Security researchers “Decoder” and Chris Danieli have discovered a vulnerability in the Windows client software for the popular cloud storage service Dropbox that would allow an attacker to use an unprivileged user account to gain SYSTEM permissions–the highest level of permission possible on a local Windows system. The unpatched flaw affects standard Dropbox installations and relates to the updater that runs as a service, which is responsible for keeping the application up-to-date. For an attacker to exploit this vulnerability, they must first have compromised a user’s account. Attackers usually gain access to a user account through a phishing campaign to get an employee to open a malicious file. The researchers provided Dropbox with proof of concept (POC) code to exploit the vulnerability on September 18th and gave them a 90-day window before they made the flaw public. The researchers have not shared the POC code publicly, to avoid giving tools to attackers. Dropbox initially responded that the problem is known, and a fix would be available before the end of October. As of December 23rd, Dropbox has not yet released a patch to fix the vulnerability.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.