Security

DoS Vulnerability found in the New Contact Name Field of Microsoft’s People Application

Microsoft has its own centralized address book that combines all your social calls, communications, and connections into one place under the umbrella of its People app. A denial of service vulnerability has been found in the Microsoft people version 10.1807.2131.0 by LORD on the 4th of September, 2018. This vulnerability was detected and tested on Microsoft’s Windows 10 operating system.

The Microsoft People application on the Windows 8 and 10 desktop operating systems is essentially a contact management database platform dubbed address book. It unites several email accounts and other platforms’ contacts in one place for one click easy access. It incorporates your Apple accounts, Microsoft accounts, Xbox accounts, Google accounts, Skype, and much more all in one place so that you can connect to the people you want to instantly.

The smart application also merges contacts from different platforms for wholesome contact cards containing all the information you have about a particular person. The application lets you track your emails and calendars, connecting it with your people of interest.

The denial of service crash occurs in this application when the python exploit code is run, and a crash-inducing code is pasted into the application. To do this, you must copy the content of the “poc.txt” text file containing this code and launch the people application. Inside the application, click on “new contact (+)” and paste the code copied onto your clipboard in the name field. Once you save this contact, the application crashes with a denial of service.

A CVE identification label has not been assigned to this vulnerability yet. There is no information on whether the vendor has acknowledged this vulnerability yet, either, or whether Microsoft even plans to release an update to mitigate this vulnerability. Given the details of the vulnerability, though, I believe that the exploit most likely falls at around a 4 rating on the CVSS 3.0 scale, compromising only availability of the program, making it a lesser concern without warrant for a whole update to fix this on its own.


Close