A new zero-day vulnerability in Windows Search has been found that can be used to automatically open a search window containing a remotely hosted malware executable simply by launching a Word document.
Windows supports a URI protocol handler called “search-ms”, which is used to allow applications and HTML links to launch customized searches on devices.
Windows Search searches the index on the local device, but you can also have Windows Search query file shares on remote hosts and use custom titles in the search window.
For example, the popular Sysinternals toolset allows you to remotely mount live.sysinternals.com as a network share and launch its utilities. To search this remote share and list only files matching a specific name, you can use a ‘search-ms’ URI like this
search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20SysinternalsAs you can see from the above command, the “crumb” variable in search-ms specifies the location to search, and the “displayname” variable specifies the search title.
An attacker will be sent a phishing email posing as a security update or patch that needs to be installed, which can be used for malicious attacks.
And you can set up a Windows remote share that can be used to host malware masquerading as a security update, and include the search-ms URI in phishing attachments and emails.
Hacker House co-founder and security researcher Matthew Hickey has discovered a way to open a remote search window by simply opening a Word document by combining a newly discovered Microsoft Office OLEObject flaw with the search-ms protocol handler. discovered a way to open a remote search window
We also discovered that attackers are exploiting a new Windows zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). To exploit this vulnerability, the threat actors have created a malicious Word document that invokes the “ms-msdt” URI protocol handler to execute PowerShell commands simply by opening the document.
This vulnerability, called CVE-2022-30190, allows a user to modify a Microsoft Office document to bypass Protected View and invoke the URI protocol handler without user interaction, which can only lead to further exploitation of the protocol handler. This can only lead to further exploitation of the protocol handler.
In this new PoC, when a user opens a Word document, the “search-ms” command is automatically invoked, opening a Windows Search window that lists executable files on a remote SMB share. The share can be given any name the attacker desires, such as “Critical Updates,” and will prompt the user to install the listed malware.
To mitigate this vulnerability, the search-ms protocol handler can be removed from the Windows registry, similar to the ms-msdt vulnerability countermeasure.
Workaround
- Run command prompt as administrator
- Run command “reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg” to backup registry key
- Command “reg delete HKEY_CLASSES_ROOT\search-ms /f”
Microsoft’s guidance for CVE-2022-30190 indicates that the company is more concerned about the flaw in the protocol handler and its underlying Windows functionality appears to be addressed.
In response to a question about how Microsoft intends to resolve this issue, Microsoft has issued the following statement.
This social engineering technique requires users to execute malicious documents and interact with a list of executable files on a network share designated by the attacker. We recommend that users practice safe computing habits and only open files that come from trusted sources.
Comments