Extreme danger allows hackers remote access

There's a new zero-day vulnerability in Windows 10 you need to be aware of.  As with all zero-day threats, this one is dangerous in the extreme, allowing a hacker to potentially execute code on your machine remotely.

It was discovered by security researcher John Page and reported to the company via Trend Micro's Zero-Day Initiative more than six months ago. To date, the company has refused to patch their software in response.  In fact, the issue hasn't even received a CVE number yet.

Issue is with vCard processing

The issue resides within the processing of a vCard file, which is a standard file format used by Microsoft Outlook to store contact information. Each vCard has space for the contact's website.  Unfortunately, a hacker can plug in whatever value they like there, including a web address pointing to a file that can be downloaded and remotely executed on the target machine.  All it takes is for the victim to click on the link in the poisoned vCard.

Page has published a proof of concept for the exploit, which has been assigned a CVSS 23.0 score of 7.8.  It would have been even higher than that, but in order to be successful, the exploit does require action on the user's part (the link in the vCard actually has to be clicked).

Our perspective

Even considering this, it seems strange that Microsoft wouldn't take steps to fix the issue, or at least to assign it a CVE number.  Leaving this exploit un-patched opens the door to abuse.  It's like hanging a neon sign above every installation of Microsoft Outlook, begging hackers to take advantage of it.

To this point, we know of no instances of this attack being used in the wild, but it's just a matter of time.  Our hope is that Microsoft will take steps to address the problem sooner, rather than later.

The author

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available at dwpia on LinkedIn, at dwpia on Facebook, and @dwpia on Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Denis S Wilson

I am President and Principal Consultant for DWP Information Architects: specializing in managed IT support for smaller healthcare practices, clinics, insurance companies, law firms, and construction companies in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance.

I am also a published author and speaker, working extensively with organizations that include: the State of California, the Federal Bureau of Investigation (FBI), the Small Business Administration (SBA), SCORE, Women's Business Centers, and Small Business Development Centers. As well as providing small business technology education programs through business and professional associations.

Contact me if you would like me to speak at your meeting.

Meanwhile, check out this report

Executive Report: 10 Hidden IT Risks That Might Threaten Your Business