Vulnerability identifier: #VU16987

Vulnerability risk: Low

CVSSv3.1: 6.6 [CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-427

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Windows
Operating systems & Components / Operating system

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due the an error when processing web site link passed in VCard files within Microsoft Windows mail application. A remote attacker can trick the victim to download and open a specially crafted VCard file, then click on the link, indicated in the Web site field and execute arbitrary DLL file on the system.

Mitigation
Microsoft has decided that it will not be fixing this vulnerability.

Vulnerable software versions

Windows: 7, 10, 8.1

---

External links
http://www.zerodayinitiative.com/advisories/ZDI-19-013/
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CO...

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.