Cybersecurity researchers have uncovered a vulnerability in Googles Quick Share utility for Windows, identified as CVE-2024-10668, that could be exploited to crash the application or send files to a recipients device without their approval, The Hacker News reports.
The issue is a bypass of two previously disclosed vulnerabilities from the QuickShell vulnerability set, reported in August 2024 by SafeBreach Labs and collectively tracked as CVE-2024-38271 and CVE-2024-38272. These earlier flaws, if chained together, could lead to arbitrary code execution on Windows systems. Quick Share, formerly known as Nearby Share, enables peer-to-peer file transfers across Android, Chromebook, and Windows platforms. Although the flaw has been addressed in version 1.0.2002.2 of Quick Share for Windows, a follow-up analysis revealed that two vulnerabilities remained unresolved. One could trigger a denial-of-service condition using specific malformed UTF8 file names, while the other could bypass file transfer consent by exploiting how the application manages files with identical payload IDs. SafeBreach stressed that patching visible symptoms without addressing underlying causes can leave systems vulnerable.
The issue is a bypass of two previously disclosed vulnerabilities from the QuickShell vulnerability set, reported in August 2024 by SafeBreach Labs and collectively tracked as CVE-2024-38271 and CVE-2024-38272. These earlier flaws, if chained together, could lead to arbitrary code execution on Windows systems. Quick Share, formerly known as Nearby Share, enables peer-to-peer file transfers across Android, Chromebook, and Windows platforms. Although the flaw has been addressed in version 1.0.2002.2 of Quick Share for Windows, a follow-up analysis revealed that two vulnerabilities remained unresolved. One could trigger a denial-of-service condition using specific malformed UTF8 file names, while the other could bypass file transfer consent by exploiting how the application manages files with identical payload IDs. SafeBreach stressed that patching visible symptoms without addressing underlying causes can leave systems vulnerable.
