Another Windows protocol vulnerability emerges; this time it is a Windows Search zero-day

Laptop security

Following on from the Follina security flaw, another Windows zero-day vulnerability has come to light. Dubbed SearchNightmare, the issue allows the search-ms URI protocol handler to be used to launch remotely hosted malware-ridden executables via a search window.

The protocol is normally used to perform local searches, but it can also be used to do the same with shared files on a remote host. An attacker could easily trick a victim into clicking a search-ms URI, and a method has been found to bypass the security warning that should be displayed by default.

See also:

By combining a Microsoft Office vulnerability with this new zero-day, security researcher Matthew Hickey has shown that is possible to use a malicious Word file to open a remote search window. Hickey, the co-founder of Hacker House, produced a proof-of-concept illustrating how a victim could be fooled into installing malware.

As shared by Bleeping Computer, in Hickey's PoC, he shows how a Word file can be used to open a Windows Search window comprising results of malicious files hosted remotely. The remote share can be given an innocent or misleading name, thereby tricking a victim into thinking that malicious files are in fact important software updates.

A video shows an attack in progress, and in lieu of an official fix, Hickey has provided details of a workaround:

As Bleeping Computer points out, this is not the first time such an attack has been used, and it is unlikely to be the last:

Until Microsoft makes it impossible to launch URI handlers in Microsoft Office without user interaction, be prepared for a whole series of similar news articles as new exploits are released.

Microsoft has yet to comment on the matter.

Image credit: Narith Thongphasuk38 / Shutterstock

Comments are closed.

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.