A vulnerability allows running a Windows search from MS Office files without user interaction

There is a new zero-day vulnerability in Windows Search that allows opening a malformed search window with remotely-hosted malware executables. The user only need to open a specially formed Word document, and the search will automatically open.

On Windows, apps and even HTML links may include 'search-ms' references to open custom searches. A custom search may look as follows:


By running such a line from the "Run" dialog (Win + R), you will see something like this:

The displayname variable defines the search title, and crumb defines the location to search for files. This way, Windows Search supports looking for files on remote locations, such as mounted network shares, in addition to the search index stored locally. By defining a custom title, an attacker may mislead the user and make him think he is searching for files on some legitimate resource.

However, it is an issue to make the user to open such a search. When you click an search-ms link say on a web page, the browser will show an extra warning, so you can simply cancel opening it.

But in case of Word, the search will open automatically.

A new flaw in Microsoft Office OLEObject allows bypassing Protected View and launching URI protocol handlers without user interaction, including Windows Search.  The following demo by @hackerfantastic shows a Word document that automatically opens a Windows Search window and connects to a remote SMB.

And the same works for RTF files as well.

Vulnerability Mitigation

Before Microsoft releases a fix for this vulnerability, the user can simply unregister the search protocol. Here are the steps.

  1. Open Command Prompt as Administrator.
  2. Issue the command reg export HKEY_CLASSES_ROOT\search-ms "%userprofile%\Desktop\search-ms.reg". Correct the path to the REG if needed.
  3. Execute the command reg delete HKEY_CLASSES_ROOT\search-ms /f. This will delete the search-ms protocol registration entries from the Registry.

Microsoft is aware of the protocol issues and is working to on a fix. Also, a good thing the company can do is to make impossible to launch URI handlers in Microsoft Office without user interaction.

Via bleepingcomputer

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

Leave a Reply

Your email address will not be published.

Exit mobile version
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.