A drive-by remote code execution (RCE) vulnerability in Windows 10 that can be triggered simply by clicking a malicious URL could allow attackers full access to a victim’s files and data.
The security flaw, an argument injection in the Windows 10/11 default handler for ms-officecmd: URIs, is present in Windows 10 via Internet Explorer 11/Edge Legacy browsers and Microsoft Teams.
Microsoft has since released a patch, but researchers claim that the fix – applied five months after the bug report “fails to properly address the underlying argument injection which is currently also still present on Windows 11”.
Windows internally uses ms-officecmd: URIs to start various Microsoft programs. Researchers revealed how it is possible to craft an URL in such a way that, when clicked, it will execute a malicious command while also starting Microsoft Teams.
Chained together with a security issue in Internet Explorer 11/Edge Legacy, visiting a malicious website is enough to trigger the exploit. The researchers also warned that this vulnerability is still present in the operating system.
The attack starts with a victim either visiting a malicious website in IE11/Edge Legacy or clicking a malicious link in another browser or desktop application. The link is then forwarded to LocalBridge.exe, which in turn runs various Office executables with a segment of the link as argument.
Possibility to inject additional arguments exists, which allowed us to achieve code execution by triggering the launch of Microsoft Teams with an additional –gpu-launcher argument that is then interpreted by Electron.
Exploitation through other browsers requires the victim to accept an inconspicuous confirmation dialog. Alternatively, a malicious URI could also be delivered via a desktop application performing unsafe URL handling. However, a precondition for this exploit is to have Microsoft Teams installed but not running.
When the issue was reported, Microsoft told the team that since this was a social engineering attack, it was not eligible for a bug bounty reward. A lengthy appeal process eventually resulted in the researchers being awarded a $5,000 reward – a figure that they argued was still insufficient, since it was just 10% of the maximum reward.
Although the proof-of-concept no longer works, the argument injection vulnerability has not been patched.