New Windows Search Zero-Day Vulnerability Can Be Exploited by Remotely Hosted Malware
Security researchers discovered a new Windows Search zero-day flaw attackers could leverage by launching a Word document. The vulnerability would allow threat actors to automatically open a search window comprising remotely hosted malicious executables on compromised systems.
Exploiting this flaw is possible due to Windows’ URI protocol handler ‘search-ms’ that enables customized searches on devices using applications and HTML links. Although the protocol is designed to facilitate Windows searches using the local device index, hackers can force the operating system to perform file share queries on remote hosts.
Not only that, but threat actors can also exploit this vulnerability to use a custom title for the search window. In a successful attack, perpetrators could configure a remote Windows share-hosting malware posing as patches or security updates, then include the malicious search-ms URI in phishing emails or attachments.
However, getting a target to open such a link could prove challenging for an attacker. Attempting to open the URL triggers a warning on the system, cautioning users that a site is trying to access Windows Explorer.
In this situation, users would need to confirm their actions by clicking an additional button. However, pairing the search-ms protocol handler with another newly discovered Office OLEObject flaw could let hackers launch a custom search window by simply opening a Word document, as security researcher Matthew Hickey demonstrated.
For the exploit to work, a user would need to open the decoy Word document, then launch the malicious executable share from the customized search window. Attackers could mask the executable as a critical security update, tricking users into launching it on their systems.
To make matters worse, Hickey also demonstrated that threat actors could create Rich Text Format (RTF) files that automatically launch a custom Windows Search window via the preview tab in Explorer without opening the document.
The security researcher recommended the following mitigation steps for the newly discovered flaw:
- Run Command Prompt as Administrator
- Back up the registry key by running
reg export HKEY_CLASSES_ROOT\search-msfilenamein the CMD
reg delete HKEY_CLASSES_ROOT\search-ms /fin the CMD
The Windows Search flaw’s discovery comes shortly after critical Microsoft Office zero-day ‘Follina’ emerged. The latter can be exploited in PowerShell remote code execution attacks through Microsoft Diagnostic Tool (MSDT).
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022