Security News > 2021 > December > Windows 10 Drive-By RCE Triggered by Default URI Handler
Researchers have discovered a drive-by remote code-execution bug in Windows 10 via Internet Explorer 11/Edge Legacy - the EdgeHTML-based browser that's currently the default browser on Windows 10 PCs - and Microsoft Teams.
In this case, the issue lies in the Windows 10/11 default Uniform Resource Identifier handler for ms-officecmd: URIs are used by the Microsoft Office Universal Windows Platform app to launch other Office desktop applications.
Positive Security had set its cap on digging up a code-execution vulnerability in a default Windows 10 URI handler.
"Windows 10 comes with an abundance of custom URI handlers relating to different OS features or other Microsoft software," Positive Security said.
Upon checking the Windows Event Log, they discovered that a.NET JsonReaderException was triggered by opening the URI "Ms-officecmd:invalid." Observing the way that the URI handler parsed JSON confirmed that "URIs have potential to do very complex things," the researchers explained.
The company offered a number of additional mitigations in its writeup, including, if possible, removal of the URI handler and a migration to the application-specific URI handlers to open the applications.
News URL
https://threatpost.com/windows-10-rce-uri-handler/176830/
Related news
- Windows 10 KB5037768 update released with new features and 20 fixes (source)
- Windows 10 KB5037849 update released with 9 changes or fixes (source)
- Microsoft announces first Windows 10 Beta build since 2021 (source)
- PHP fixes critical RCE flaw impacting all versions for Windows (source)
- Windows 10 KB5039211 update released with new feature, 12 fixes (source)
- Microsoft says bug causes Windows 10 apps to display Open With dialogs (source)
- Windows 10 KB5039299 update released with 10 changes or fixes (source)