Researchers in cybersecurity have revealed details of a new vulnerability that could be exploited to denial of service ( DoS ) or send arbitrary files to a target’s device without their consent. It is affecting Google’s Quick Share data transfer utility for Windows.
The flaw, identified as ( CVSS score: 5.9), is a remedial measure for two of the ten shortcomings that SafeBreach Labs first made public in August of this year under the name . Following dependable publication in August 2024, it has been addressed in the Quick Share for Windows version 1. 1.0.2002.2.
These ten vulnerabilities, which have been tracked as CVE-2024-38271 ( CVSS score: 5. 9 ) and CVE-2024-38272 ( CVSS score: 7.1 ), could have been used as a chain of exploits to execute arbitrary code on Windows hosts.
Quick Share ( previously called Nearby Share ) is a peer-to-peer file-sharing service that enables users to transfer files, photos, videos, and other documents between Android devices, Chromebooks, and Windows desktops and laptops in close physical proximity. It is similar to Apple AirDrop.
embedded content ]
The cybersecurity firm conducted a follow-up analysis to discover that two of the flaws were fixed incorrectly, once more causing the software to collapse or bypass the requirement for a recipient to take the file transfer request by immediately transmitting a file to the device.
In particular, using a file name that begins with a different invalid UTF8 continuation byte ( such as “xc5xff” ) rather than a file name that has a NULL terminator ( “x00” ) could cause the DoS bug to be discovered.
On the other hand, the first correct for the illicit document read risk identified these transferred files as “unknown” and removed them from the disk once the file transfer session was over.
According to SafeBreach scientist Or Yair, sending two various files in the same program with the same “payload ID” could prevent the software from deleting one of them, leaving the other alive in the Downloads files.
Although this study is specific to the Quick Share utility,” we think the implications are applicable to the entire software industry,” according to Yair.” Vendors should often address the true root cause of vulnerabilities that they fix,” the statement said.