Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Graphic Library Flaw Exposes Apps Created With Delphi, C++ Builder

Library Source Code Vulnerabilties

Researchers at Core Security say they have identified a security vulnerability in the Visual Component Library (VCL) that affects apps developed with Delphi and C++ Builder.

Library Source Code Vulnerabilties

Researchers at Core Security say they have identified a security vulnerability in the Visual Component Library (VCL) that affects apps developed with Delphi and C++ Builder.

In an advisory released today, the security firm revealed that an attacker is able to trigger a buffer overflow and possibly execute arbitrary code with the aid of malformed BMP files processed through affected programs. By exploiting this security hole, an attacker could execute code with the permissions of the user running the vulnerable application.

The vulnerability, discovered as part of Core Security’s internal research efforts, impacts software developed with Embarcadero C++Builder XE6 version 20.0.15596.9843, Embarcadero Delphi XE6 version 20.0.15596.9843, and possibly other 32bit and 64 bit versions. The VCL is a component-based object-oriented framework that’s utilized for developing the user interface of Windows applications, and it is integrated by default in these development environments.

According to Flavio De Cristofaro, vice president of engineering for professional products at Core Security, the Embarcadero products have been used by financial institutions, healthcare organizations and companies in several other industries to develop homegrown applications.

There are three main conditions that must be met for the vulnerability to be exploited: the application must be built using affected software; the application must use VCL to handle BMP files; and, since the attack would be on the client side, interaction from the victim is required. On the other hand, some applications could be exploited remotely if they allow a remote user to upload the malformed BMP files.

“Users will need to check for newer versions of the software that includes the fix to the affected software component and, per our understanding, they would need to recompile the code using the new version of the software. An alternative affected users may consider is replacing the affected component (VCL) with an equivalent package for handling images,” explained De Cristofaro.

“Also, if affected users do not have the source code or are not willing to recompile the program, they can use other third-party software such as Sentinel or EMET that could help to prevent the exploitation of affected systems to some extent. We recommend contacting Embarcadero for further support,” he added.

While the latest versions of Windows incorporate features that can limit the exploitation of the vulnerability, Core Security claims it has created some proof-of-concepts that work on these operating systems as well.

Advertisement. Scroll to continue reading.

Update: Embarcadero representatives told SecurityWeek that a patch has been made available for this vulnerability. Users of Delphi and C++ Builder XE6 are advised to apply a hotfix, while users of prior versions can address the issue by making some changes in the VCL source code and adding the modified file to their applications.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.