An unpatched flaw in Dropbox could let an attacker or a piece of malware seize control of your Windows computer.
That's the word from Italian researchers "Decoder" and Chris Danieli, who found that the Dropbox update process keeps log files in an unprotected folder and lets even unprivileged users add and replace files.
Log files shouldn't be dangerous, but Decoder and Danieli found ways to inject their own bogus log files that make the Dropbox updater do stupid things and grant local users system-level permissions.
The researchers are not releasing their proof-of-concept exploit code, but Decoder provided technical details in a blog post and showed how the attack works in a YouTube video.
How to protect yourself
Bleeping Computer says that right now, the only fix available comes from 0Patch, a company that provides temporary, unofficial patches for other companies' software. Dropbox told Forbes that an official patch would be "rolling out ... in the coming weeks."
You could try using 0Patch's temporary fix -- it's free for home users and doesn't require a reboot -- but we're a little wary of installing software from companies we're not familiar with.
Decoder instead recommends removing a couple of files buried deep in the Dropbox directory, but we couldn't find those files on our own machine.
However, since this attack requires local access, you'd do well by not letting strangers use your PC and installing one of the best antivirus programs to prevent infection by opportunistic malware.
Decoder and Danieli said they notified Dropbox of the flaw in mid-September, and we've reached out to Dropbox to ask why it's taking so long to produce a patch.
Dropbox told Forbes that "this bug can only be leveraged in limited circumstances, and we haven't received any reports of this vulnerability impacting our users."
That doesn't make this flaw any less serious. An attacker does need local access to a PC to begin this attack, but that access can easily be gained through a low-level malware infection, such as via a malicious email attachment or a drive-by download from a malicious or corrupted website.
By using this Dropbox flaw to gain system permissions, a user or an application -- think malware -- can do pretty much anything on the PC. Limiting user permissions, which we normally recommend, won't work in this case due to the privilege-escalation flaw.