Security Experts:

Connect with us

Hi, what are you looking for?



Graphic Library Flaw Exposes Apps Created With Delphi, C++ Builder

Library Source Code Vulnerabilties

Researchers at Core Security say they have identified a security vulnerability in the Visual Component Library (VCL) that affects apps developed with Delphi and C++ Builder.

Library Source Code Vulnerabilties

Researchers at Core Security say they have identified a security vulnerability in the Visual Component Library (VCL) that affects apps developed with Delphi and C++ Builder.

In an advisory released today, the security firm revealed that an attacker is able to trigger a buffer overflow and possibly execute arbitrary code with the aid of malformed BMP files processed through affected programs. By exploiting this security hole, an attacker could execute code with the permissions of the user running the vulnerable application.

The vulnerability, discovered as part of Core Security’s internal research efforts, impacts software developed with Embarcadero C++Builder XE6 version 20.0.15596.9843, Embarcadero Delphi XE6 version 20.0.15596.9843, and possibly other 32bit and 64 bit versions. The VCL is a component-based object-oriented framework that’s utilized for developing the user interface of Windows applications, and it is integrated by default in these development environments.

According to Flavio De Cristofaro, vice president of engineering for professional products at Core Security, the Embarcadero products have been used by financial institutions, healthcare organizations and companies in several other industries to develop homegrown applications.

There are three main conditions that must be met for the vulnerability to be exploited: the application must be built using affected software; the application must use VCL to handle BMP files; and, since the attack would be on the client side, interaction from the victim is required. On the other hand, some applications could be exploited remotely if they allow a remote user to upload the malformed BMP files.

“Users will need to check for newer versions of the software that includes the fix to the affected software component and, per our understanding, they would need to recompile the code using the new version of the software. An alternative affected users may consider is replacing the affected component (VCL) with an equivalent package for handling images,” explained De Cristofaro.

“Also, if affected users do not have the source code or are not willing to recompile the program, they can use other third-party software such as Sentinel or EMET that could help to prevent the exploitation of affected systems to some extent. We recommend contacting Embarcadero for further support,” he added.

While the latest versions of Windows incorporate features that can limit the exploitation of the vulnerability, Core Security claims it has created some proof-of-concepts that work on these operating systems as well.

Update: Embarcadero representatives told SecurityWeek that a patch has been made available for this vulnerability. Users of Delphi and C++ Builder XE6 are advised to apply a hotfix, while users of prior versions can address the issue by making some changes in the VCL source code and adding the modified file to their applications.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet