Code smuggling vulnerability in Windows only half-heartedly closed

The positive.security researchers found vulnerabilities in the URI handler for the type in Windows 10 and 11 ms-officecmd: tracked down. Arbitrary arguments can be added to this. URI handlers can be understood as links that call programs linked to the protocol instead of websites.

Proof-of-concept software (PoC) based on it demonstrated the exploitation of the security gap to smuggle in arbitrary code – in Internet Explorer 11 or Edge Legacy without user interaction, simply by surfing a “malicious” website. The specific example used an installed Microsoft Teams that was to be started via a manipulated URI handler call. Instead, the automatically downloaded code was executed.

In a blog post describe the positive.security members in detailhow they found the holes and communicated with Microsoft’s security teams. A first patch made the proof-of-concept code useless without user interaction. Other programs such as the Chrome web browser can still be used to slip arbitrary code, but require confirmation from the user. Another update from Microsoft should then further vulnerabilities in the ms-officecmd:– Fix URI handler. According to positive.security, this has not yet been fully achieved; a second PoC – with user interaction – is still working.

Positive.security state that they decided to find a vulnerability to execute malicious code in a standard Windows 10 URI handler and had success within two weeks. “Given the amount of URI handlers Windows ships with, it is very likely that others are also vulnerable,” the researchers explain.

However, the group argues with Microsoft about the amount of the bounty. Microsoft praises vulnerabilities that can lead to the execution of malicious code without further user intervention, up to 50,000 US dollars. Positive.security only received $ 5,000 for “common” vulnerabilities. Upon complaint, Microsoft argued that IE11 and Edge Legacy were no longer part of this bounty program.

Another point of contention is the lack of a CVE entry for the vulnerability and thus the lack of public communication. Here the Redmond-based company explains that CVE numbers are only provided for updates via Windows Update. Changes to websites, downloads via Defender or the store did not receive CVE entries to the same extent. Microsoft apparently distributed the URI handler updates in the latter way.

The analysts from positive-security discovered similar security gaps in LibreOffice, VLC & Co. in the spring. Links were not checked sufficiently and thus enabled malicious code attacks.


(dmk)

Article Source