There’s a new zero-day vulnerability in Windows 10 you need to be aware of.  As with all zero-day threats, this one is dangerous in the extreme, allowing a hacker to potentially execute code on your machine remotely.

It was discovered by security researcher John Page, and reported to the company via Trend Micro’s Zero-Day Initiative more than six months ago.

To date, the company has refused to patch their software in response.  In fact, the issue hasn’t even received a CVE number yet.

The issue resides within the processing of a vCard file, which is a standard file format used by Microsoft Outlook to store contact information. Each vCard has space for the contact’s website.  Unfortunately, a hacker can plug in whatever value they like there, including a web address pointing to a file that can be downloaded and remotely executed on the target machine.  All it takes is for the victim to click on the link in the poisoned vCard.

Page has published a proof of concept for the exploit, which has been assigned a CVSS 23.0 score of 7.8.  It would have been even higher than that, but in order to be successful, the exploit does require action on the user’s part (the link in the vCard actually has to be clicked).

Even considering this, it seems strange that Microsoft wouldn’t take steps to fix the issue, or at least to assign it a CVE number.  Leaving this exploit un-patched opens the door to abuse.  It’s like hanging a neon sign above every installation of Microsoft Outlook, begging hackers to take advantage of it.

To this point, we know of no instances of this attack being used in the wild, but it’s just a matter of time.  Our hope is that Microsoft will take steps to address the problem sooner, rather than later.