Security researchers discovered a new Windows Search zero-day flaw attackers could leverage by launching a Word document. The vulnerability would allow threat actors to automatically open a search window comprising remotely hosted malicious executables on compromised systems.
Exploiting this flaw is possible due to Windows’ URI protocol handler ‘search-ms’ that enables customized searches on devices using applications and HTML links. Although the protocol is designed to facilitate Windows searches using the local device index, hackers can force the operating system to perform file share queries on remote hosts.
Not only that, but threat actors can also exploit this vulnerability to use a custom title for the search window. In a successful attack, perpetrators could configure a remote Windows share-hosting malware posing as patches or security updates, then include the malicious search-ms URI in phishing emails or attachments.
However, getting a target to open such a link could prove challenging for an attacker. Attempting to open the URL triggers a warning on the system, cautioning users that a site is trying to access Windows Explorer.
In this situation, users would need to confirm their actions by clicking an additional button. However, pairing the search-ms protocol handler with another newly discovered Office OLEObject flaw could let hackers launch a custom search window by simply opening a Word document, as security researcher Matthew Hickey demonstrated.
For the exploit to work, a user would need to open the decoy Word document, then launch the malicious executable share from the customized search window. Attackers could mask the executable as a critical security update, tricking users into launching it on their systems.
To make matters worse, Hickey also demonstrated that threat actors could create Rich Text Format (RTF) files that automatically launch a custom Windows Search window via the preview tab in Explorer without opening the document.
The security researcher recommended the following mitigation steps for the newly discovered flaw:
reg export HKEY_CLASSES_ROOT\search-msfilename
in the CMDreg delete HKEY_CLASSES_ROOT\search-ms /f
in the CMDThe Windows Search flaw’s discovery comes shortly after critical Microsoft Office zero-day ‘Follina’ emerged. The latter can be exploited in PowerShell remote code execution attacks through Microsoft Diagnostic Tool (MSDT).
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024