Security News > 2021 > December > Windows 10 Drive-By RCE Triggered by Default URI Handler
Researchers have discovered a drive-by remote code-execution bug in Windows 10 via Internet Explorer 11/Edge Legacy - the EdgeHTML-based browser that's currently the default browser on Windows 10 PCs - and Microsoft Teams.
In this case, the issue lies in the Windows 10/11 default Uniform Resource Identifier handler for ms-officecmd: URIs are used by the Microsoft Office Universal Windows Platform app to launch other Office desktop applications.
Positive Security had set its cap on digging up a code-execution vulnerability in a default Windows 10 URI handler.
"Windows 10 comes with an abundance of custom URI handlers relating to different OS features or other Microsoft software," Positive Security said.
Upon checking the Windows Event Log, they discovered that a.NET JsonReaderException was triggered by opening the URI "Ms-officecmd:invalid." Observing the way that the URI handler parsed JSON confirmed that "URIs have potential to do very complex things," the researchers explained.
The company offered a number of additional mitigations in its writeup, including, is possible, removal of the URI handler and a migration to the application-specific URI handlers to open the applications.
News URL
https://threatpost.com/windows-10-rce-url-handler/176830/
Related news
- Windows 10 KB5046613 update released with fixes for printer bugs (source)
- Microsoft just killed the Windows 10 Beta Channel again (source)
- Microsoft just killed the Windows 10 Beta Channel for good (source)
- Microsoft pulls WinAppSDK update breaking Windows 10 app uninstalls (source)
- Windows 10 KB5046714 update fixes bug preventing app uninstalls (source)
- New Windows 10 0x80073CFA fix requires installing WinAppSDK 3 times (source)
- Windows 10 KB5048652 update fixes new motherboard activation bug (source)