Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Web Feed] We found and reported 1-click code execution vulnerabilities in popular softw...
1 view
Skip to first unread message
Feed Supplier
Apr 29, 2021, 3:59:31 PM4/29/21
to
..are including Telegram, Nextcloud, VLC, Libre-/OpenOffice, Bitc
-
We found and reported 1-click code execution vulnerabilities in popular software including *Telegram*, *Nextcloud*, *VLC*, *Libre-/OpenOffice*, *Bitcoin/Dogecoin Wallets*, *Wireshark* and *Mumble*
-
Desktop applications which pass user supplied URLs to be opened by the operating system are frequently vulnerable to *code execution with user interaction*
-
Code execution can be achieved either when a URL pointing to a malicious executable (
desktop
,
jar
,
exe
, …) hosted on an internet accessible file share (
nfs
,
webdav
,
smb
, …) is opened, or an additional vulnerability in the opened application’s URI handler is exploited
-
Vulnerabilities following this pattern have already been found in other software, with more expected to be revealed going forward
Link 1
Allow arbitrary URLs, expect arbitrary code execution | Positive Security: https://positive.security/blog/url-open-rce
-
We found and reported 1-click code execution vulnerabilities in popular software including *Telegram*, *Nextcloud*, *VLC*, *Libre-/OpenOffice*, *Bitcoin/Dogecoin Wallets*, *Wireshark* and *Mumble*
-
Desktop applications which pass user supplied URLs to be opened by the operating system are frequently vulnerable to *code execution with user interaction*
-
Code execution can be achieved either when a URL pointing to a malicious executable (
desktop
,
jar
,
exe
, …) hosted on an internet accessible file share (
nfs
,
webdav
,
smb
, …) is opened, or an additional vulnerability in the opened application’s URI handler is exploited
-
Vulnerabilities following this pattern have already been found in other software, with more expected to be revealed going forward
Link 1
Allow arbitrary URLs, expect arbitrary code execution | Positive Security: https://positive.security/blog/url-open-rce
0 new messages