Windows Vulnerability Found Using VCard Files 

February 1, 2019

Written by wukovits

There’s a new zero-day vulnerability in Windows 10 you need to be aware of.  As with all zero-day threats, this one is dangerous in the extreme, allowing a hacker to potentially execute code on your machine remotely.

It was discovered by security researcher John Page, and reported to the company via Trend Micro’s Zero-Day Initiative more than six months ago.

To date, the company has refused to patch their software in response.  In fact, the issue hasn’t even received a CVE number yet.

The issue resides within the processing of a vCard file, which is a standard file format used by Microsoft Outlook to store contact information. Each vCard has space for the contact’s website.  Unfortunately, a hacker can plug in whatever value they like there, including a web address pointing to a file that can be downloaded and remotely executed on the target machine.  All it takes is for the victim to click on the link in the poisoned vCard.

Page has published a proof of concept for the exploit, which has been assigned a CVSS 23.0 score of 7.8.  It would have been even higher than that, but in order to be successful, the exploit does require action on the user’s part (the link in the vCard actually has to be clicked).

Even considering this, it seems strange that Microsoft wouldn’t take steps to fix the issue, or at least to assign it a CVE number.  Leaving this exploit un-patched opens the door to abuse.  It’s like hanging a neon sign above every installation of Microsoft Outlook, begging hackers to take advantage of it.

To this point, we know of no instances of this attack being used in the wild, but it’s just a matter of time.  Our hope is that Microsoft will take steps to address the problem sooner, rather than later.

Used with permission from Article Aggregator

Bayou Tech

We provide solutions for your business. Find out how we can help.

Related Articles

New Graphene Technology May Increase Hard Drive Storage

HDDs are old, well understood technology. They haven't changed much in recent years. In fact, increasingly, people are writing them off, preferring SSDs for their greater speed and smaller size, even though HDDs are less expensive. The clever folks at the University...

Some Amazon Device Features May Have Security Risks

Have you heard of Amazon Sidewalk? If not, it's definitely something you should be aware of. Depending on your point of view, the new feature, which was enabled by default on a wide range of Amazon devices by default on June 8 of this year (2021) is either...

Email Unsubscribe Scam Can Easily Fool Any User

Scammers are increasingly relying on a tried and true bit of social engineering to fool unsuspecting users into unwittingly signing up to receive a flood of additional spam email. They accomplish this by blasting out an email asking recipients if they wish to...

Send us a message

Your message was sent.