Security News > 2021 > December > Windows 10 Drive-By RCE Triggered by Default URI Handler

Windows 10 Drive-By RCE Triggered by Default URI Handler
2021-12-07 20:24

Researchers have discovered a drive-by remote code-execution bug in Windows 10 via Internet Explorer 11/Edge Legacy - the EdgeHTML-based browser that's currently the default browser on Windows 10 PCs - and Microsoft Teams.

In this case, the issue lies in the Windows 10/11 default Uniform Resource Identifier handler for ms-officecmd: URIs are used by the Microsoft Office Universal Windows Platform app to launch other Office desktop applications.

Positive Security had set its cap on digging up a code-execution vulnerability in a default Windows 10 URI handler.

"Windows 10 comes with an abundance of custom URI handlers relating to different OS features or other Microsoft software," Positive Security said.

Upon checking the Windows Event Log, they discovered that a.NET JsonReaderException was triggered by opening the URI "Ms-officecmd:invalid." Observing the way that the URI handler parsed JSON confirmed that "URIs have potential to do very complex things," the researchers explained.

The company offered a number of additional mitigations in its writeup, including, if possible, removal of the URI handler and a migration to the application-specific URI handlers to open the applications.


News URL

https://threatpost.com/windows-10-rce-uri-handler/176830/