A zero-day vulnerability has been discovered by security researchers in Dropbox for Windows that lets a hacker gain Windows SYSTEM privileges.
If you have Dropbox installed, you should uninstall it immediately until the company issues a fix.
The researchers in question, Chris Danieli and Decoder, first discovered the issue in September and contacted Dropbox on 18th September. They told Dropbox that if the issue wasn’t fixed within 90 days, they would go public with it and the company paid no heed. Now the researchers have gone public about the issue.
The weakness in the application lets you overwrite files giving a hacker with local user access extra privileges to execute code with admin privileges. While the researchers haven’t unveiled the exploit code, it is thought to be in the DropboxUpdater service. It allows a local user to switch executable files which can then run by the system.
While the weakness exists hasn’t been fixed, it isn’t necessarily a major issue as the hacker must already have local access to the computer they want to target. If the hackers don’t have local access (which in many cases, they don’t) you won’t be able to do much. As per reports, a small patch can be downloaded from oPatch that will fix the issue for the time being until Dropbox issues a fix.
A Dropbox spokesperson talked about the issue saying,
We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks. This bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.