Depending on the application and operating system, clicking on a link can have dangerous consequences and, in the worst case, lead to the implementation of malicious code. This is caused by a lack of verification of user input.
In essence, some of the attacker’s applications’ links to files containing malicious code that are not selected for the operating system, which in some cases execute the file without further action on the part of the victim. Positive security safety researchers warn of this in a blog post.
In the article they explain the possible attack scenarios for various Bitcoin wallets, LibreOffice, Next Cloud, Telegram, VLC and Wireshark. Security researchers believe that other applications are affected by the security issue.
Conflicts in verifying user input by applications and operating systems are a complex topic due to their diversity. According to the researchers, browsers, for example, act as role models due to various security tests. But this is definitely not the case for all applications.
To make matters worse, operating systems do not behave the same way. With Linux, the controls depend on the desktop environment. Here security researchers classify people as particularly vulnerable to attacks such as XFCE. Windows finds them particularly vulnerable.
Runs Windows .Jar files directly from a Webtop partition without security notification. For example, an attacker may slip a playlist created for users of VLC Player to represent a .jar file containing malicious code. If the victim opens the playlist, the malicious code will be available on the computer.
According to their own information, the researchers successfully tried this with a JRE installation under Windows 10 19042. This is not easily possible under Linux due to restrictions (such as URI blocker).
Security researchers say some of the developers of the mentioned applications are already working on updates. For example, VLC version 3.0.13, which protects against such attacks, will appear soon.
LibreOffice developers have so far only protected the Windows version. In Xubuntu (XFCE) they see Linux developers as responsible. To get rid of security issues, not only application developers but also developers of operating systems are required.