#VU13786 Information disclosure in Mail, Calendar, and People in Windows 8.1 App Store - CVE-2018-8305

Cybersecurity Help s.r.o.

Published: 2018-07-10 | Updated: 2018-07-10

Vulnerability identifier: #VU13786

Vulnerability risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-8305

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mail, Calendar, and People in Windows 8.1 App Store
Client/Desktop applications / Other client software

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists in Windows Mail Client due to improper processing of embedded URLs. A remote attacker can trick the victim into opening a specially crafted email, automatically initiate a connection to a remote server automatically, depending on the URL contained in the malicious email, and cause Windows Mail Client to fall back to initiating a web request to a remote server, disclosing the external IP of the user's system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mail, Calendar, and People in Windows 8.1 App Store: All versions

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8305

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Windows Mail Client