Free Desktop Clock 3.0 is vulnerable to a critical stack overflow that allows unauthenticated attackers to execute arbitrary code via malicious Unicode input.

This vulnerability is a stack-based buffer overflow occurring within the Time Zones display name input field. An unauthenticated attacker can trigger this flaw by providing crafted Unicode input, leading to the overwriting of Structured Exception Handler (SEH) registers and subsequent arbitrary code execution.

A successful exploit allows for complete system compromise, as the attacker can gain the same execution privileges as the application. This could result in unauthorized data access, installation of malware, or total loss of system integrity. The CVSS score of 9.8 reflects the critical nature of this flaw due to the lack of required authentication and the potential for remote code execution.

Immediate Action: Administrators should immediately update Free Desktop Clock to the latest available version or decommission the software if it is no longer required for business operations.

Proactive Monitoring: Security teams should monitor for unusual application crashes or anomalous process behavior originating from the Desktop Clock executable.

Compensating Controls: Implement strict application whitelisting and ensure that users do not have administrative privileges, which can limit the scope of a successful code execution exploit.

Public Exploit Available: false

The severity of this vulnerability cannot be overstated, as it allows for unauthenticated remote code execution. Organizations should prioritize the removal or update of Free Desktop Clock 3.0 immediately. Given the age of the software and the critical CVSS score, immediate remediation is the only effective way to mitigate the risk of full system takeover.