Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Graphic Library Flaw Exposes Apps Created With Delphi, C++ Builder

Library Source Code Vulnerabilties

Researchers at Core Security say they have identified a security vulnerability in the Visual Component Library (VCL) that affects apps developed with Delphi and C++ Builder.

Library Source Code Vulnerabilties

Researchers at Core Security say they have identified a security vulnerability in the Visual Component Library (VCL) that affects apps developed with Delphi and C++ Builder.

In an advisory released today, the security firm revealed that an attacker is able to trigger a buffer overflow and possibly execute arbitrary code with the aid of malformed BMP files processed through affected programs. By exploiting this security hole, an attacker could execute code with the permissions of the user running the vulnerable application.

The vulnerability, discovered as part of Core Security’s internal research efforts, impacts software developed with Embarcadero C++Builder XE6 version 20.0.15596.9843, Embarcadero Delphi XE6 version 20.0.15596.9843, and possibly other 32bit and 64 bit versions. The VCL is a component-based object-oriented framework that’s utilized for developing the user interface of Windows applications, and it is integrated by default in these development environments.

According to Flavio De Cristofaro, vice president of engineering for professional products at Core Security, the Embarcadero products have been used by financial institutions, healthcare organizations and companies in several other industries to develop homegrown applications.

There are three main conditions that must be met for the vulnerability to be exploited: the application must be built using affected software; the application must use VCL to handle BMP files; and, since the attack would be on the client side, interaction from the victim is required. On the other hand, some applications could be exploited remotely if they allow a remote user to upload the malformed BMP files.

“Users will need to check for newer versions of the software that includes the fix to the affected software component and, per our understanding, they would need to recompile the code using the new version of the software. An alternative affected users may consider is replacing the affected component (VCL) with an equivalent package for handling images,” explained De Cristofaro.

“Also, if affected users do not have the source code or are not willing to recompile the program, they can use other third-party software such as Sentinel or EMET that could help to prevent the exploitation of affected systems to some extent. We recommend contacting Embarcadero for further support,” he added.

While the latest versions of Windows incorporate features that can limit the exploitation of the vulnerability, Core Security claims it has created some proof-of-concepts that work on these operating systems as well.

Advertisement. Scroll to continue reading.

Update: Embarcadero representatives told SecurityWeek that a patch has been made available for this vulnerability. Users of Delphi and C++ Builder XE6 are advised to apply a hotfix, while users of prior versions can address the issue by making some changes in the VCL source code and adding the modified file to their applications.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.