A zero-day vulnerability has been discovered and reported in the Microsoft’s Windows operating system that, under a certain scenario, could allow a remote attacker to execute arbitrary code on Windows machine.
Discovered by security researcher John Page (@hyp3rlinx), the vulnerability was reported to the Microsoft security team through Trend Micro’s Zero Day Initiative (ZDI) Program over 6 months ago, which the tech giant has refused to patch, at least for now.
The vulnerability, which has not been assigned any CVE number, actually resides within the processing of a vCard file—a standard file format for storing contact information for a person or business, which is also supported by Microsoft Outlook.
According to the researcher, a remote attacker can maliciously craft a VCard file in a way that the contact’s website URL stored within the file points to a local executable file, which can be sent within a zipped file via an email or delivered separately via drive-by-download techniques.
images from Hacker News