2 min read

New Windows Search Zero-Day Vulnerability Can Be Exploited by Remotely Hosted Malware

Vlad CONSTANTINESCU

June 03, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
New Windows Search Zero-Day Vulnerability Can Be Exploited by Remotely Hosted Malware

Security researchers discovered a new Windows Search zero-day flaw attackers could leverage by launching a Word document. The vulnerability would allow threat actors to automatically open a search window comprising remotely hosted malicious executables on compromised systems.

Exploiting this flaw is possible due to Windows’ URI protocol handler ‘search-ms’ that enables customized searches on devices using applications and HTML links. Although the protocol is designed to facilitate Windows searches using the local device index, hackers can force the operating system to perform file share queries on remote hosts.

Not only that, but threat actors can also exploit this vulnerability to use a custom title for the search window. In a successful attack, perpetrators could configure a remote Windows share-hosting malware posing as patches or security updates, then include the malicious search-ms URI in phishing emails or attachments.

However, getting a target to open such a link could prove challenging for an attacker. Attempting to open the URL triggers a warning on the system, cautioning users that a site is trying to access Windows Explorer.

In this situation, users would need to confirm their actions by clicking an additional button. However, pairing the search-ms protocol handler with another newly discovered Office OLEObject flaw could let hackers launch a custom search window by simply opening a Word document, as security researcher Matthew Hickey demonstrated.

For the exploit to work, a user would need to open the decoy Word document, then launch the malicious executable share from the customized search window. Attackers could mask the executable as a critical security update, tricking users into launching it on their systems.

To make matters worse, Hickey also demonstrated that threat actors could create Rich Text Format (RTF) files that automatically launch a custom Windows Search window via the preview tab in Explorer without opening the document.

The security researcher recommended the following mitigation steps for the newly discovered flaw:

  1. Run Command Prompt as Administrator
  2. Back up the registry key by running reg export HKEY_CLASSES_ROOT\search-msfilename in the CMD
  3. Execute reg delete HKEY_CLASSES_ROOT\search-ms /f in the CMD

The Windows Search flaw’s discovery comes shortly after critical Microsoft Office zero-day ‘Follina’ emerged. The latter can be exploited in PowerShell remote code execution attacks through Microsoft Diagnostic Tool (MSDT).

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Flaw allowed man to access private information of other Brinks Home Security customers Flaw allowed man to access private information of other Brinks Home Security customers
Graham CLULEY

November 30, 2022

2 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps Enhance your cyber resilience and privacy on Computer Security Day in four easy steps
Alina BÎZGĂ

November 29, 2022

2 min read
Hackers Steal Crime Files in Attack on Belgian Police Station, Then Demand Ransom Hackers Steal Crime Files in Attack on Belgian Police Station, Then Demand Ransom
Filip TRUȚĂ

November 28, 2022

2 min read