Orbit Downloader versions 2.6.3 and 2.6.4 contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or execute arbitrary code with user privileges.
The vulnerability exists during Unicode conversion due to insufficient sanitizing of URLs for balloon notifications. The application fails to properly convert ASCII strings to Unicode characters. When the application is unable to download a file, the balloon control is displayed. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to click on a crafted link that contains a URL with more than 4096 bytes.
Proof-of-concept code that demonstrates the vulnerability is available.
Orbit has confirmed the vulnerability and released updates at the following link: Orbit Downloader 2.6.5 or later