Critical Drive-By RCE Vulnerability Found in Windows 10Researchers Say Microsoft Took 5 Months to Release a Patch
Researchers at Berlin-based cybersecurity research firm Positive Security have discovered a drive-by remote code execution vulnerability in Windows 10, specifically in systems using Internet Explorer 11 or Edge Legacy and MS Teams.
Lukas Euler, the managing director and security consultant at Positive Security, is one of the researchers who co-authored the report. In a conversation with Information Security Media Group, he says, "The attack allowed for arbitrary code execution with the privileges of the user that opened the malicious website or clicked the malicious link, giving the attacker full access to the user's files and data.
According to Euler and Positive Security researcher Fabian Bräunlein, the drive-by RCE vulnerability can be triggered by an argument injection in the Windows 10 default Uniform Resource Identifier handler. A URI helps identify a particular resource by name at a specified location or URL.
Staaldraad says on GitHub that an argument injection - much like a command injection - is used by hackers to pass controlled values or text into a shell function without adequate sanitization.
The German researchers also found several vulnerabilities in the MS Office suite. The list of vulnerable applications includes Outlook, Teams and Skype.
The researchers allege that Microsoft initially dismissed their report, but following an appeal, it bumped up the severity of the vulnerability to "Critical, RCE." Researchers tell ISMG that they had a payment dispute with the software giant on the bounty amount.
And they say that Microsoft took five months to release a patch for the drive-by RCE vulnerability, which took the researchers only two weeks to find. Euler says this means threat actors could have spotted the potential exploit during the time the vulnerability remained unpatched.
Critical Drive-by RCE Vulnerability
Of the multiple vulnerabilities Positive Security found in MS Office applications, Euler says that the most severe attack vector is the drive-by code execution vulnerability, which merely requires the victim to visit a malicious website through Internet Explorer 11.
Microsoft has yet to respond to ISMG’s queries on the company’s assessment of the reported vulnerability and Positive Security’s claim of releasing a patch five months after the flaw was reported.
A Kaspersky blog says that a drive-by download attack is a bigger threat than other forms of cyberattacks as a user does not have to click on a link, press "download," or open a malicious email attachment to become infected.
Drive-by download attacks are designed to either hijack the user's device, spy on the user's activity, corrupt the data, or altogether disable the user's device.
Positive Security's report explains how the RCE exploit works: When a Windows 10 user visits a malicious website with the Edge browser or clicks on a malicious "ms-officecmd:"-link in any application, arbitrary commands can be executed on the victim's computer.
Other Vulnerabilities in MS Office Suite
Positive Security's researchers found two vulnerabilities in other MS Office applications.
MS Teams and Skype
Euler says that by using the same vector instead of an RCE, it was possible to execute a silent man-in-the-middle attack against MS Teams and Skype.
According to the researchers, Teams and Skype are based on the Electron framework - an open-source software framework that allows for the development of desktop graphical user interface, or GUI, applications. Therefore, Teams and Skype are both equipped with a wide range of useful Electron command line arguments and Node.js command line arguments, the researchers say.
They found that one of these arguments - host-rules - can be used to remap IP addresses and host names, causing all relevant network traffic of the application to be directed to the chosen target.
Outlook's Phishing Vulnerability
Positive Security's researchers found that when an http(s) URL was provided in the filename property, Outlook would render the webpage in an Internet Explorer 11 powered embedded webview. The user does not even get to know if the displayed content is from an external webpage or any information about the origin of the webpage.
The researchers say that this feature can be exploited by threat actors to deploy very believable phishing attacks.
Delayed Patch, Bug Bounty Disputes
Euler tells ISMG that he and Bräunlein found several issues with Microsoft's bug bounty program.
"Initially, they misjudged and dismissed the issue entirely. After our appeal, the issue was classified as 'Critical, RCE,' but only 10% of the bounty advertised for its classification was awarded," he says.
The payout for reporting a critical vulnerability in a Microsoft product is $50,000. But Microsoft classified the vulnerability as noncritical and awarded them $5,000.
Moreover, the patch Microsoft came up with after five months prevents the specific exploit the researchers pointed out in their proof-of-concept, but they say it fails to "properly address the underlying argument injection."
Euler says that although they do not have any evidence of an in-the-wild exploitation of the RCE vulnerability in the past months, it is possible for others to have discovered them independently.
"It took us two weeks from deciding to look into Windows 10 URI handlers to developing the RCE POC," he says.
As the Positive Security researchers said earlier that their POC no longer works, the argument injection vulnerability has yet to be patched.
Previous Drive-By Attacks
Drive-by download attacks such as this one have been exploited by threat actors for some time now. The Russian APT group Dragonfly 2.0 has targeted government entities and multiple U.S. critical infrastructure sectors since 2015 using drive-by compromise attacks.
In 2017, a variant of the Petya group, Bad Rabbit APT, targeted Odessa International Airport, several Russian media outlets and the Interfax news agency. The group relied on victims downloading a fake Adobe Flash installer from infected websites.
MITRE ATT&CK Recommendations
MITRE ATT&CK recommends that organizations use browser sandboxes to mitigate some of the impact caused by a drive-by exploit. The advisory also says that other types of virtualization and application micro-segmentation could help mitigate the impact of client-side exploitation.
Security applications that specifically track behavior of the attack vector used during exploitation - for instance, Windows Defender Exploit Guard and Enhanced Mitigation Experience Toolkit - also can help companies stave off drive-by attacks.