2 min read

New Windows Search Zero-Day Vulnerability Can Be Exploited by Remotely Hosted Malware

Vlad CONSTANTINESCU

June 03, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
New Windows Search Zero-Day Vulnerability Can Be Exploited by Remotely Hosted Malware

Security researchers discovered a new Windows Search zero-day flaw attackers could leverage by launching a Word document. The vulnerability would allow threat actors to automatically open a search window comprising remotely hosted malicious executables on compromised systems.

Exploiting this flaw is possible due to Windows’ URI protocol handler ‘search-ms’ that enables customized searches on devices using applications and HTML links. Although the protocol is designed to facilitate Windows searches using the local device index, hackers can force the operating system to perform file share queries on remote hosts.

Not only that, but threat actors can also exploit this vulnerability to use a custom title for the search window. In a successful attack, perpetrators could configure a remote Windows share-hosting malware posing as patches or security updates, then include the malicious search-ms URI in phishing emails or attachments.

However, getting a target to open such a link could prove challenging for an attacker. Attempting to open the URL triggers a warning on the system, cautioning users that a site is trying to access Windows Explorer.

In this situation, users would need to confirm their actions by clicking an additional button. However, pairing the search-ms protocol handler with another newly discovered Office OLEObject flaw could let hackers launch a custom search window by simply opening a Word document, as security researcher Matthew Hickey demonstrated.

For the exploit to work, a user would need to open the decoy Word document, then launch the malicious executable share from the customized search window. Attackers could mask the executable as a critical security update, tricking users into launching it on their systems.

To make matters worse, Hickey also demonstrated that threat actors could create Rich Text Format (RTF) files that automatically launch a custom Windows Search window via the preview tab in Explorer without opening the document.

The security researcher recommended the following mitigation steps for the newly discovered flaw:

  1. Run Command Prompt as Administrator
  2. Back up the registry key by running reg export HKEY_CLASSES_ROOT\search-msfilename in the CMD
  3. Execute reg delete HKEY_CLASSES_ROOT\search-ms /f in the CMD

The Windows Search flaw’s discovery comes shortly after critical Microsoft Office zero-day ‘Follina’ emerged. The latter can be exploited in PowerShell remote code execution attacks through Microsoft Diagnostic Tool (MSDT).

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Retail Giant in Brazil Hit by Extortion Attack Retail Giant in Brazil Hit by Extortion Attack
Alina BÎZGĂ

June 28, 2022

2 min read
LockBit 3.0 Launches First Ransomware Bug Bounty Program, Adds New Features LockBit 3.0 Launches First Ransomware Bug Bounty Program, Adds New Features
Vlad CONSTANTINESCU

June 28, 2022

2 min read
Drunk worker loses USB stick containing details of every resident of his city Drunk worker loses USB stick containing details of every resident of his city
Graham CLULEY

June 27, 2022

3 min read