Microsoft Windows .contact Arbitrary Code Execution
Posted by deepcore on January 17, 2019 – 9:24 am
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of “.contact” files node param which takes an expected website value, however if an attacker references an executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.
Post a reply
You must be logged in to post a comment.