A zero-day security vulnerability exists in Dropbox for Windows that lets attackers escalate their privileges from user to SYSTEM, the most privileged account on the Windows operating system. The vulnerability is related to Dropbox’s Updater, which runs as a service and keeps the Dropbox application up to date. A short-term fix has been provided by 0Patch in the form of a micropatch.
What is a Zero-Day Vulnerability?
A zero-day vulnerability is a computer software vulnerability that has not been fixed by the software’s creators. Until such vulnerabilities are fixed, attackers can exploit them to affect computer programs, data, additional computers or networks.
In computer security jargon, Day Zero is the day on which the owners of the software learn about the vulnerability. Security researches usually provide such companies 90 days to fix the issue before making a public disclosure.
90 days have passed since Zero-Day and Dropbox have not yet provided a patch for the security vulnerability. Therefore, security experts Decoder and Chris Daniel who discovered the vulnerability in September, have now gone public with their findings.
Where Does the Dropbox Security Vulnerability Lie?
Dropbox is a cloud-based file hosting service that offers file storage and synchronization. It was founded in June 2007 and has over 500 million users.
This unpatched security flaw affects standard Dropbox for Windows installations, with the vulnerability stemming from its DropboxUpdater service. This service periodically checks and updates the Dropbox installation on users’ computers to the latest version.
The DropboxUpdater service is installed as part of the Dropbox desktop application’s installation. It is run at regular intervals by the task scheduler. As the service has permissions to SYSTEM for scheduled tasks, its exploitation could potentially let attackers break into a target device and elevate their privileges. Attackers could then gain access to other parts of the device and the network to which it is connected.
Exploiting Dropbox’s Security Vulnerability
To be able to exploit this Dropbox security flaw, firstly the attackers need to have access to an already compromised computer. Local access to the target computer is a prerequisite to exploiting this vulnerability.
Secondly, the user must have installed Dropbox on their computer using a standard installation, complete with admin rights. If the installation was customized, then attackers can’t use the Dropbox security vulnerability to elevate their privileges from user to SYSTEM.
A spokesperson for Dropbox stated: “We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks.” The spokesperson went on to say: “This bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.”
Until Dropbox rolls out a patch for the issue, an interim solution has been made available by 0Patch, a platform that delivers micropatches for known issues before official fixes become available.