Windows 10 Drive-By RCE Triggered by Default URI Handler

There’s an argument injection weakness in the Windows 10/11 default handler, researchers said: an issue that Microsoft has only partially fixed.

Researchers have discovered a drive-by remote code-execution (RCE) bug in Windows 10 via Internet Explorer 11/Edge Legacy – the EdgeHTML-based browser that’s currently the default browser on Windows 10 PCs – and Microsoft Teams.

According to a report posted Tuesday by Positive Security, the vulnerability is triggered by an argument injection, which is a type of attack that involves tampering with a page’s input parameters. It can enable attackers to see or to modify data via the user interface that they normally can’t get at.

In this case, the issue lies in the Windows 10/11 default Uniform Resource Identifier (URIs) handler for ms-officecmd: URIs are used by the Microsoft Office Universal Windows Platform (UWP) app to launch other Office desktop applications.

Some of the noteworthy, not-great things that threat actors can do with the vulnerability include crafting highly believable phishing attacks in which webpages can hide their origin or the fact that their content is coming from an external page; issues with code execution in Outlook; command-line switches for Microsoft Office products that allow for loading

Read More: https://threatpost.com/windows-10-rce-url-handler/176830/