About the vulnerability and the micropatch
Security researcher John Page (aka Hyp3rlinx) published the details about the vulnerability and PoC exploit code after Microsoft failed to fix the issue within 90 days of it being reported.
“The issue was initially reported as related to VCF files (which are by default associated with the Windows Contacts application) but Page subsequently added that CONTACT files (also by default associated with Windows Contacts) can be used to achieve the same,” Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, explained.
The vulnerability stems from the fact that almost any string provided via a VCF or CONTACT file in the web site URL or email value ends up being used as an argument to a ShellExecute call.
The call attempts to launch the provided string on the local computer before attempting to open it in the browser. And if a malicious executable that has been renamed to that string has found its way on the user’s computer or a network share, the call will trigger its execution.
As it’s still unknown when and if Microsoft will fix the flaw, the 0patch team decided to create a micropatch for it.
“We simply added some logic before this call to make sure that if the URL doesn’t start with mailto:, http:// or https://, it gets prepended with http:// to prevent any possible launching of local executables,” Kolsek noted.
As per usual, the source code for the micropatch has been made public. Also, it’s good to note that once Microsoft fixes the flaw, the micropatch will automatically stop applying.
Opting for a micropatch
0patch is a solution that aims to fix 0days, unpatched vulnerabilities, end-of-life and unsupported products, provide patches for legacy operating systems, as well as vulnerable third party components and customized software.
Users who want to implement the micropatch have to install and register the 0patch agent.
ACROS Security has been busy lately with creating micropatches for Windows zero-day vulnerabilities. In the last week, they published micropatches for the “AngryPolarBearBug” and “readfile” zero-days disclosed by the security researcher who goes online by the moniker “SandboxEscaper”.