Security researcher recently revealed PoC for Windows Vcard RCE Zero-day vulnerability after it crossed the 90 days patch deadline.
Now 0patch released a
In this case, User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
John Page, a Security researcher who discovered this RCE vulnerability said, “The specific flaw exists within the processing of VCard files. Crafted data in a VCard file can cause Windows to display a dangerous hyperlink. The user interface fails to provide
Micropatch From 0patch
Since the Microsoft failed to fix the issue within 90 days, he released Proof-of-concept that help to exploit this vulnerability in affected windows system.
According to 0patch, “The issue is in the fact that almost any string provided via a VCF or CONTACT file in the web site URL or email value (yes, we figured this one out ourselves 🙂 ends up being used as an argument to a ShellExecute call. While ShellExecute is a handy function for opening URLs in user’s default browser”
Mitja Kolsek, Co-founder of 0patch, explained and demonstrate the
0patch is working to provide micropatch for unpatched zero-day flows in softwares and operating systems.