One-Click Vulnerabilities Discovered in Popular Desktop Apps
Security researchers have uncovered multiple vulnerabilities in popular desktop applications that allow arbitrary code execution on users’ systems with just a single click. These flaws have been informally dubbed “one-click vulnerabilities.”
The issues were identified by Positive Security specialists Fabian Bräunlein and Lukas Euler. They found that the bugs affect well-known applications such as Telegram, Nextcloud, VLC, LibreOffice, OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark, Mumble, and others.
How the Vulnerabilities Work
According to the researchers, “Desktop applications that allow the operating system to open URLs on behalf of the user contain a code execution vulnerability. Exploitation requires interaction with the victim.”
Attackers can trigger arbitrary code execution by providing a link to a malicious executable file (such as .desktop, .jar, .exe, etc.) hosted online. Additionally, they may exploit further weaknesses in the software’s URI handler.
In other words, these bugs exist due to insufficient validation of URLs opened by the operating system through the application. Under certain conditions, this can lead to the unintended launch of a malicious file.
Impact and Affected Applications
The researchers from Positive Security noted that many desktop applications failed to properly validate links, leaving users exposed to potential attacks.
Fortunately, most of these vulnerabilities have already been patched in the affected applications. Users are advised to keep an eye on new releases and regularly update their installed software to stay protected.
- Telegram
- Nextcloud
- VLC
- LibreOffice
- OpenOffice
- Bitcoin/Dogecoin Wallets
- Wireshark
- Mumble
- And others
Staying up to date with the latest software versions is the best way to protect yourself from these and similar vulnerabilities.