Security News > 2021 > December > Windows 10 Drive-By RCE Triggered by Default URI Handler
Researchers have discovered a drive-by remote code-execution bug in Windows 10 via Internet Explorer 11/Edge Legacy - the EdgeHTML-based browser that's currently the default browser on Windows 10 PCs - and Microsoft Teams.
In this case, the issue lies in the Windows 10/11 default Uniform Resource Identifier handler for ms-officecmd: URIs are used by the Microsoft Office Universal Windows Platform app to launch other Office desktop applications.
Positive Security had set its cap on digging up a code-execution vulnerability in a default Windows 10 URI handler.
"Windows 10 comes with an abundance of custom URI handlers relating to different OS features or other Microsoft software," Positive Security said.
Upon checking the Windows Event Log, they discovered that a.NET JsonReaderException was triggered by opening the URI "Ms-officecmd:invalid." Observing the way that the URI handler parsed JSON confirmed that "URIs have potential to do very complex things," the researchers explained.
The company offered a number of additional mitigations in its writeup, including, is possible, removal of the URI handler and a migration to the application-specific URI handlers to open the applications.
News URL
https://threatpost.com/windows-10-rce-url-handler/176830/
Related news
- Windows 10 KB5048652 update fixes new motherboard activation bug (source)
- Windows 10 users urged to upgrade to avoid "security fiasco" (source)
- Microsoft to force install new Outlook on Windows 10 PCs in February (source)
- Windows 10 KB5049981 update released with new BYOVD blocklist (source)
- Microsoft ends support for Office apps on Windows 10 in October (source)
- Windows 11 24H2 now also offered to all eligible Windows 10 PCs (source)
- January Windows 10 preview update force installs new Outlook (source)