The maintainers of the widely used library recently patched multiple memory corruption vulnerabilities that attackers could have abused to, ahem, curse targets with malicious code and escalate privileges.
September 15, 2023 By Jai Vijayan
A widely used programming library called "ncurses" is infested by malicious gremlins — in the form of multiple memory corruption vulnerabilities that give attackers a way to target applications running in macOS, Linux, and FreeBSD.
Researchers from Microsoft uncovered the vulnerabilities in the library, which basically provides APIs for text-based user interfaces and terminal applications. In a technical report this week, researchers from the company's threat intelligence team described the bugs as allowing data leaks, privilege escalation, and arbitrary code execution.
"After discovering the vulnerabilities in the ncurses library, we worked with the maintainer, Thomas E. Dickey, and Apple to ensure the issues were resolved across platforms," the researchers said. "Exploiting vulnerabilities in the ncurses library could have notable consequences for users, allowing attackers to perform malicious actions like elevating privileges to run code in a targeted program's context and access or modify valuable data and resources."
