New Windows Search Zero-Day Vulnerability Can Be Exploited by Remotely Hosted Malware
Security researchers discovered a new Windows Search zero-day flaw attackers could leverage by launching a Word document. The vulnerability would allow threat actors to automatically open a search window comprising remotely hosted malicious executables on compromised systems.
Exploiting this flaw is possible due to Windows’ URI protocol handler ‘search-ms’ that enables customized searches on devices using applications and HTML links. Although the protocol is designed to facilitate Windows searches using the local device index, hackers can force the operating system to perform file share queries on remote hosts.
Not only that, but threat actors can also exploit this vulnerability to use a custom title for the search window. In a successful attack, perpetrators could configure a remote Windows share-hosting malware posing as patches or security updates, then include the malicious search-ms URI in phishing emails or attachments.
However, getting a target to open such a link could prove challenging for an attacker. Attempting to open the URL triggers a warning on the system, cautioning users that a site is trying to access Windows Explorer.
In this situation, users would need to confirm their actions by clicking an additional button. However, pairing the search-ms protocol handler with another newly discovered Office OLEObject flaw could let hackers launch a custom search window by simply opening a Word document, as security researcher Matthew Hickey demonstrated.
For the exploit to work, a user would need to open the decoy Word document, then launch the malicious executable share from the customized search window. Attackers could mask the executable as a critical security update, tricking users into launching it on their systems.
To make matters worse, Hickey also demonstrated that threat actors could create Rich Text Format (RTF) files that automatically launch a custom Windows Search window via the preview tab in Explorer without opening the document.
The security researcher recommended the following mitigation steps for the newly discovered flaw:
- Run Command Prompt as Administrator
- Back up the registry key by running
reg export HKEY_CLASSES_ROOT\search-msfilenamein the CMD
reg delete HKEY_CLASSES_ROOT\search-ms /fin the CMD
The Windows Search flaw’s discovery comes shortly after critical Microsoft Office zero-day ‘Follina’ emerged. The latter can be exploited in PowerShell remote code execution attacks through Microsoft Diagnostic Tool (MSDT).
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside
June 28, 2022
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online
June 28, 2022
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021
June 22, 2022
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data
May 24, 2022
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight
April 15, 2022
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users
April 14, 2022