A drive-by remote code execution (RCE) bug in Windows 10 has been found by Positive Security researchers. An argument injection in the Windows 10 default handler for ms-officecmd: Uniform Resource Identifier (URIs) might trigger the vulnerability.
Summary
A Uniform Resource Identifier (URI) is a unique string of characters used by web technologies to identify a logical or physical resource. URIs include well-known terms such as uniform resource location (URL) and uniform resource name (URN). The software that has started to open a certain type of URI, known as the URI handler. The URI handler for FTP links, for example, may differ from that for HTTP links. This is determined by preferences, as well as the software and apps installed.
How It Works
A malicious website conducts a Javascript redirect to a crafted ms-officecmd: URI (a scheme used by the Microsoft Office Universal Windows Platform (UWP) app to launch other Office desktop programs) in this scenario, triggering code execution.
Crafted ms-officecmd: URIs could also be provided via desktop apps that execute unsafe URL handling as an alternative to exploitation via malicious websites. This vulnerability, however, only works if the user has Microsoft Teams installed but is not active.
Remediation
At this moment there is no fixed patch to remedy this new vulnerability. However, researchers from Positive Security advise windows users to implement the following security measures below.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Vulnerability in Windows 10 URI Handler Leads to Remote Code Execution.pdf
References
https://threatpost.com/windows-10-rce-uri-handler/176830/
https://positive.security/blog/ms-officecmd-rce