from what I understand by reading <http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014 -hardening-group-policy.aspx>, this is well mitigated by the "UNC Hardened Access" feature that has been introduced.
"Even 3rd party applications and services can take advantage of this new feature without additional code changes; simply add the necessary configuration details in Group Policy. If a UNC Provider is able to establish a connection to the specified server that meets the required security properties, then the application/service will be able to open handles as normal; if not, opening handles would fail, thus preventing insecure access to the remote server." on the actual issue (whether DC++ should allow clicking on UNC paths), I have no opinion - maybe people in local networks actually enjoy pasting links to files stored on some shared network server? this would input from others, but from what I have gathered, the security issue has been fixed in Windows itself so I see no reason to block these links as they can have legit uses. -- You received this bug notification because you are a member of Dcplusplus-team, which is subscribed to DC++. https://bugs.launchpad.net/bugs/1502650 Title: DC++ 0.851 - Arbitrary code execution Status in DC++: New Bug description: Details and PoC: http://kacperrybczynski.com/research/dcpp_851_arbitrary_code_execution/ By supplying an UNC path in the *.dcext plugin file or main/pm hub chat, a remote file will be automatically downloaded, which can result in arbitrary code execution. To manage notifications about this bug go to: https://bugs.launchpad.net/dcplusplus/+bug/1502650/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~linuxdcpp-team Post to : linuxdcpp-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~linuxdcpp-team More help : https://help.launchpad.net/ListHelp
