Skip to main content

Windows Vulnerability Found Using VCard Files 

By February 1, 2019June 2nd, 2022Cybersecurity

There’s a new zero-day vulnerability in Windows 10 you need to be aware of.  As with all zero-day threats, this one is dangerous in the extreme, allowing a hacker to potentially execute code on your machine remotely.

It was discovered by security researcher John Page, and reported to the company via Trend Micro’s Zero-Day Initiative more than six months ago.

To date, the company has refused to patch their software in response.  In fact, the issue hasn’t even received a CVE number yet.

The issue resides within the processing of a vCard file, which is a standard file format used by Microsoft Outlook to store contact information. Each vCard has space for the contact’s website.  Unfortunately, a hacker can plug in whatever value they like there, including a web address pointing to a file that can be downloaded and remotely executed on the target machine.  All it takes is for the victim to click on the link in the poisoned vCard.

Page has published a proof of concept for the exploit, which has been assigned a CVSS 23.0 score of 7.8.  It would have been even higher than that, but in order to be successful, the exploit does require action on the user’s part (the link in the vCard actually has to be clicked).

Even considering this, it seems strange that Microsoft wouldn’t take steps to fix the issue, or at least to assign it a CVE number.  Leaving this exploit un-patched opens the door to abuse.  It’s like hanging a neon sign above every installation of Microsoft Outlook, begging hackers to take advantage of it.

To this point, we know of no instances of this attack being used in the wild, but it’s just a matter of time.  Our hope is that Microsoft will take steps to address the problem sooner, rather than later.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.