A number of one-click bugs have been detected in various popular desktop applications such as LibreOffice, Nextcloud, VLC, Bitcoin and Dogecoin Wallets, Telegram, Mumble, and Wireshark. Those vulnerabilities could be used by attackers to execute malicious code on the victim’s computers via crafted URLs that the vulnerable apps open. The issues were first reported by Lukas Euler and Fabian Bräunlein Positive Security.
According to the security researchers, Desktop programs that allow URLs to be opened by the OS of the computer are often susceptible to execution of malicious code that occurs without user interaction. One of the way to achieve this is when a URL points to a rogue executable such as “.exe”, “.jar”, “.desktop”, or another one, that is hosted online. The other way is when another vuln in the URL handler of the app is exploited for this purpose.
In other words, the root of the vulnerabilities is the lack of sufficient URL validation measures in the exposed apps. This allows the crafted URL to be executed automatically, thus starting the infection process.
The security analysis by Positive Security suggests that a big number of popular applications fail at URL validation, which could, in turn, allow criminal actors to create links crafted for the specific purpose of exploiting this type of vulnerability by linking the user to a piece of malicious code that would get automatically executed on the targeted machine.
After the report by Positive Security was made public as responsible disclosure, the majority of app vendors mentioned in the report have either already fixed the problem or are currently working towards releasing a security update to patch out the bug. Here is a list of the different apps and the measures taken by each vendor to mitigate the problem:
VLC Player – An upcoming security patch for the program, 3.0.13, is set to be released in the upcoming week.
- Telegram – The problem has been fixed via a side-server change.
- Nextcloud – Version 3.1.3 of the app fixes the vulnerability of the desktop client.
- LibreOffice – The bug has been fixed for the Windows version but the Xubuntu version is still vulnerable.
- OpenOffice – The vulnerability is to be fixed with the next patch for the office package.
- Dogecoin – The bug is fixed with version 1.14.3.
- Mumble – The vulnerability has been patched out with version 1.3.4.
- Wireshark – Version 3.4.4. fixes the bug.
- Bitcoin Cash – Version 23.0.0 is set to resolve the vuln – this version is currently in the process of being released.
- Bitcoin ABC – The flaw is fixed in ver. 0.22.15.
- WinSCP – Version 5.17.10 fixes the vulnerability.
Since this type of vulnerabilities typically affect several layers of the application stack of the program, it is easier for the people working behind the app to shift the blame and not take responsibility for such bugs. Unfortunately, this often results in such vulnerabilities that remain unpatched for long periods of time, potentially giving hackers the opportunity to exploit them and infect the user.
Exactly because of this, it is very important for app developers to put in the necessary work and take part of the responsibility to implement security measures within the app that would help avoid such flaws in the software that could be exploited by attackers.