We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Exploits and vulnerabilities
Researchers at Positive Security have discovered a drive-by remote code-execution (RCE) bug in Windows 10. The vulnerability can be triggered by an argument injection in the Windows 10 default handler for ms-officecmd: URIs. It is likely that this vulnerability also exists in Windows 11.
What’s worrying is that the research team simply decided to find a code execution vulnerability in a default Windows 10 URI handler, and that they succeeded within two weeks. Given how many URI handlers are included in Windows you can bet that there are others to be found.
A Uniform Resource Identifier (URI) is a unique sequence of characters that identifies a logical or physical resource used by web technologies. The well-known uniform resource locator (URL) and the uniform resource name (URN) are both examples of URIs. A URI handler is the program that gets launched to open a URI of a certain type. For example, the URI handler for ftp links can be different from the URI handler that deals with http links. This depends on your settings and often on which software and apps you have installed.
As an alternative to exploitation through malicious websites, crafted ms-officecmd: URIs could also be delivered via desktop applications performing unsafe URL handling. However, this exploit only works if the user has Microsoft Teams installed but it is not running.
While looking for viable candidates, the ms-officecmd: scheme immediately grabbed the attention of the research team due to its promising name. MS Office is a very complex suite of applications with many legacy features and a long history of exploitability. On top of that, the scheme ends in the abbreviation for ‘command’, which suggests even more complexity and potential for injection.
When the team started playing around with it, they noticed an executable called LocalBridge.exe which would briefly run, but would show no apparent external effect.
The research team decided to decompile LocalBridge.exe. which taught them how to create a valid JSON payload. It turned out they had to dig deeper. That meant analyzing AppBridge.dll next, since it contained the LaunchOfficeAppValidated method which the JSON payload is ultimately passed to.
As a different approach to dissecting the application that handles ms-officecmd: URIs, they tried inspecting an application which generates URIs that get handled by ms-officecmd:.They ended up at the Office UWP app. In this context it is good to know that the Office apps for phones using Windows 10 Mobile (Word, Excel, PowerPoint, OneNote) reached end of support on January 12, 2021. That means that since that date, app users no longer receive security updates, non-security hotfixes, free assisted support options or online technical content updates from Microsoft.
After some tinkering, the researchers managed to use the extracted JSON payload to open Office desktop applications via ms-officecmd: URIs. Specifically, the payload extracted from the Office UWP app could be used to open Outlook.
The researchers found that when an http(s) URL was provided in the filename property, Outlook would render the respective webpage in an IE11 powered embedded web view. No indication of the webpage’s origin or even the fact that the displayed content stemmed from an external webpage was given. This behavior could be abused to mount very believable phishing attacks, especially since mailto: links are, depending on local configuration, expected to open the user’s email program.
Based on this information, the researchers crafted a PoC that does the following once a user can be tricked into clicking a link on a malicious website:
The researchers have been going back and forth with Microsoft about this for months, having initially disclosed the weakness to Microsoft in March. Microsoft closed Positive Security’s initial report the very next day, based on what Positive Security called Microsoft’s “erroneous” belief that the exploit relies on social engineering, which would not meet the definition of a security vulnerability.
According to the researchers, the patch that was issued after five months seems to only affect Teams and Skype. The argument injection vulnerability described in this post is still present on fully patched Windows 10 and 11 systems. After the researchers brought this to Microsoft’s attention, they were told another patch addressing the argument injection was underway. Microsoft gave the researchers the go-ahead to post their write-up independently of its rollout.
Unfortunately, I was unable to confirm this. None of my Windows 10 machines have Edge Legacy installed and IE crashes on every exploit attempt, which is also annoying but not what I was waiting to see. When I tried it on the latest version of Edge, Malwarebytes Browser Guard blocked the download of the “outlook.exe.”
Anyway. This goes to show it pays to actually read the prompts and hover the links.
Stay safe, everyone!
SHARE THIS ARTICLE
ABOUT THE AUTHOR
Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Write for Labs
Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
NEWS AND PRESS
© All Rights Reserved
Select your language
Your intro to everything relating to cyberthreats, and how to stop them.
We research. You level up.