PoC for Windows VCF zero-day published online

Microsoft said it would fix the vulnerability in Windows 19H1, in April.
Written by Catalin Cimpanu, Contributor

A security researcher has published details and proof-of-concept (PoC) code for an unpatched Windows vulnerability that affects the way Windows handles vCard files (VCFs).

The vulnerability was discovered last year by security researcher John Page (@hyp3rlinx) and reported to Microsoft via Trend Micro's Zero Day Initiative (ZDI) vulnerability disclosure program.

While initially Microsoft said in October that it would address the VCF vulnerability in this month's Patch Tuesday security updates train, the OS maker changed its mind at the last moment and deferred to fix to Windows v.Next (the codename of the next major version of the Windows OS, known currently as 19H1, set for release in April 2019).

After a patch fell through, both the researcher and the ZDI program maintainers published security advisories about the vulnerability so that users and companies can take note, put in place mitigations, or issue internal security alerts, until a fix will be available in the spring.

According to both of these advisories, the vulnerability exists in the way the Windows OS processes vCard files (VCFs).

A threat actor can craft a malicious VCF that displays a benign link, which when clicked by the user, can trigger the execution of malicious code instead of viewing the URL. The researcher has published a demo of the vulnerability in action, available below.

The good news is that this vulnerability can lead to remote code execution, but is not remotely exploitable, as it requires user interaction first.

ZDNet reached out to a few malware researchers about this zero-day today, and they explained that the vulnerability can be weaponized in a way that can be used for mass malware distribution campaigns.

The PoC shared by Page requires the presence of another secondary malicious file on the system, but that file could be easily hidden from the victim's view by an attacker.

As always, the good ol' advice of not opening files received from unknown sources over the internet stands.

Windows 10 October 2018 Update: The new features that matter most

More cybersecurity news:

Editorial standards