Jump to content
  • Protocol vulnerability allows launching malicious Windows Search by just opening Word file

    aum

    • 395 views
    • 3 minutes
     Share


    • 395 views
    • 3 minutes

    Following reports about Microsoft Support Diagnostic Tool vulnerabilities, researchers uncovered another zero-day that allows connection to remotely-hosted malware. The issue lies within a uniform resource identifier (URI) called "search-ms", responsible for allowing apps and links to launch searches on a computer.


    Modern Windows versions, such as 11, 10, and 7, allow Windows Search to browse files locally and on remote hosts. The user can set a URI with the remote host address and the display name to appear on the title bar of the search window. Windows can launch personalized search windows using various methods, such as a web browser or Run (Win + R).


    BleepingComputer says a bad actor can utilize the protocol handler to create, for example, a fake Windows Update directory and trick the user into clicking a malware disguised as a legitimate update. Still, execution requires an action from the target, and modern browsers, such as Microsoft Edge, have additional security warnings. This is where other flaws come into play.


    As it turned out, one can combine the search-ms protocol handler with a new flaw in Microsoft Office OLEObject. It allows bypassing Protected View and launching URI protocol handlers without user interaction. @hackerfantastic demonstrated the idea by crafting a Word document that automatically opens a Windows Search window and connects to a remote SMB. Because search-ms allows renaming search windows, hackers can prepare "personalized" searches to mislead their targets.


     Microsoft Office search-ms: URI handler exploitation, requires user-interaction. Unpatched. pic.twitter.com/iYbZNtMpnx
     — hackerfantastic.crypto (@hackerfantastic) June 1, 2022


    Another proof-of-concept shows an RTF document that does the same. This time, it does not even require launching Word. A new search window launches when File Explorer creates a preview on the Preview Pane.

     

    Here is the same search-ms attack being leveraged through an RTF document when Windows Preview Pane is enabled... 😉 pic.twitter.com/AmOeGWltjm
     — hackerfantastic.crypto (@hackerfantastic) June 1, 2022

     

    Users can protect their systems by doing what Microsoft recommends to mitigate the MSDT vulnerability. Removing the search-ms protocol handler from Windows Registry will help secure a system:

     

    1.  Press Win + R, type cmd and press Ctrl + Shift + Enter to run Command Prompt as Administrator.
    2.  Type reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg and press Enter to create a backup of the key.
    3.  Type reg delete HKEY_CLASSES_ROOT\search-ms /f and press Enter to remove the key from Windows Registry.


    Microsoft is working on fixing the vulnerabilities in protocol handlers and related Windows features. Still, experts claim hackers will find other handlers to exploit, and Microsoft should focus on making it impossible to launch URL handlers in the Office apps without user interaction. A similar situation happened last year with PrintNightmare when Microsoft fixed one component just for researchers to uncover other vulnerabilities.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...