Security News > 2021 > December > Windows 10 Drive-By RCE Triggered by Default URI Handler
Researchers have discovered a drive-by remote code-execution bug in Windows 10 via Internet Explorer 11/Edge Legacy - the EdgeHTML-based browser that's currently the default browser on Windows 10 PCs - and Microsoft Teams.
In this case, the issue lies in the Windows 10/11 default Uniform Resource Identifier handler for ms-officecmd: URIs are used by the Microsoft Office Universal Windows Platform app to launch other Office desktop applications.
Positive Security had set its cap on digging up a code-execution vulnerability in a default Windows 10 URI handler.
"Windows 10 comes with an abundance of custom URI handlers relating to different OS features or other Microsoft software," Positive Security said.
Upon checking the Windows Event Log, they discovered that a.NET JsonReaderException was triggered by opening the URI "Ms-officecmd:invalid." Observing the way that the URI handler parsed JSON confirmed that "URIs have potential to do very complex things," the researchers explained.
The company offered a number of additional mitigations in its writeup, including, is possible, removal of the URI handler and a migration to the application-specific URI handlers to open the applications.
News URL
https://threatpost.com/windows-10-rce-url-handler/176830/
Related news
- Windows 10 KB5055612 preview update fixes a GPU bug in WSL2 (source)
- Microsoft silently fixes Start menu bug affecting Windows 10 PCs (source)
- M365 apps on Windows 10 to get security fixes into 2028 (source)
- Microsoft will update Office apps on Windows 10 until 2028 (source)
- Windows 10 KB5058379 update fixes SgrmBroker errors in Event Viewer (source)
- Windows 10 KB5058379 update triggers BitLocker recovery on some devices (source)
- Microsoft confirms May Windows 10 updates trigger BitLocker recovery (source)
- Windows 10 emergency updates fix BitLocker recovery issues (source)
- Windows 10 KB5058481 update brings seconds back to calendar flyout (source)