There is a new zero-day vulnerability in Windows Search that allows opening a malformed search window with remotely-hosted malware executables. The user only need to open a specially formed Word document, and the search will automatically open.
Advertisеment
On Windows, apps and even HTML links may include 'search-ms' references to open custom searches. A custom search may look as follows:
search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals
By running such a line from the "Run" dialog (Win + R), you will see something like this:
The displayname
variable defines the search title, and crumb
defines the location to search for files. This way, Windows Search supports looking for files on remote locations, such as mounted network shares, in addition to the search index stored locally. By defining a custom title, an attacker may mislead the user and make him think he is searching for files on some legitimate resource.
However, it is an issue to make the user to open such a search. When you click an search-ms link say on a web page, the browser will show an extra warning, so you can simply cancel opening it.
But in case of Word, the search will open automatically.
A new flaw in Microsoft Office OLEObject allows bypassing Protected View and launching URI protocol handlers without user interaction, including Windows Search. The following demo by @hackerfantastic shows a Word document that automatically opens a Windows Search window and connects to a remote SMB.
Microsoft Office search-ms: URI handler exploitation, requires user-interaction. Unpatched. pic.twitter.com/iYbZNtMpnx
— hackerfantastic.crypto (@hackerfantastic) June 1, 2022
And the same works for RTF files as well.
Vulnerability Mitigation
Before Microsoft releases a fix for this vulnerability, the user can simply unregister the search protocol. Here are the steps.
- Open Command Prompt as Administrator.
- Issue the command
reg export HKEY_CLASSES_ROOT\search-ms "%userprofile%\Desktop\search-ms.reg"
. Correct the path to the REG if needed. - Execute the command
reg delete HKEY_CLASSES_ROOT\search-ms /f
. This will delete the search-ms protocol registration entries from the Registry.
Microsoft is aware of the protocol issues and is working to on a fix. Also, a good thing the company can do is to make impossible to launch URI handlers in Microsoft Office without user interaction.
Via bleepingcomputer
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!
Advertisеment