SB2019011504 - Arbitrary DLL loading in VCF files in Microsoft Windows Mail
Published: January 15, 2019 Updated: January 16, 2019
Security Bulletin ID
SB2019011504
Severity
Low
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Uncontrolled Search Path Element (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due the an error when processing web site link passed in VCard files within Microsoft Windows mail application. A remote attacker can trick the victim to download and open a specially crafted VCard file, then click on the link, indicated in the Web site field and execute arbitrary DLL file on the system.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.