Windows Vulnerability Found Using VCard Files 

February 1, 2019

Written by wukovits

windows vulnerability found using vcard filesThere’s a new zero-day vulnerability in Windows 10 you need to be aware of.  As with all zero-day threats, this one is dangerous in the extreme, allowing a hacker to potentially execute code on your machine remotely.

It was discovered by security researcher John Page, and reported to the company via Trend Micro’s Zero-Day Initiative more than six months ago.

To date, the company has refused to patch their software in response.  In fact, the issue hasn’t even received a CVE number yet.

The issue resides within the processing of a vCard file, which is a standard file format used by Microsoft Outlook to store contact information. Each vCard has space for the contact’s website.  Unfortunately, a hacker can plug in whatever value they like there, including a web address pointing to a file that can be downloaded and remotely executed on the target machine.  All it takes is for the victim to click on the link in the poisoned vCard.

Page has published a proof of concept for the exploit, which has been assigned a CVSS 23.0 score of 7.8.  It would have been even higher than that, but in order to be successful, the exploit does require action on the user’s part (the link in the vCard actually has to be clicked).

Even considering this, it seems strange that Microsoft wouldn’t take steps to fix the issue, or at least to assign it a CVE number.  Leaving this exploit un-patched opens the door to abuse.  It’s like hanging a neon sign above every installation of Microsoft Outlook, begging hackers to take advantage of it.

To this point, we know of no instances of this attack being used in the wild, but it’s just a matter of time.  Our hope is that Microsoft will take steps to address the problem sooner, rather than later.

Used with permission from Article Aggregator

Bayou Tech

We provide solutions for your business. Find out how we can help.

Related Articles

Essential Settings to Maximize Your Microsoft 365 Experience 

Microsoft 365 is a powerful suite of tools. It helps to enhance productivity and collaboration. This is especially true for small to mid-sized businesses (SMBs). But to get the most out of Microsoft 365, it’s important to optimize its settings. Otherwise, you may only...

Windows 10: The Final Countdown – It’s Time to Upgrade Your PC

Windows 10 has served us well. But its time is running out. Microsoft plans to end support for Windows 10 on October 14, 2025. This means no more security updates, no more patches, and no more support. It's time to upgrade to Windows 11. This is especially true for...