Another Windows protocol vulnerability emerges; this time it is a Windows Search zero-day
Following on from the Follina security flaw, another Windows zero-day vulnerability has come to light. Dubbed SearchNightmare, the issue allows the search-ms URI protocol handler to be used to launch remotely hosted malware-ridden executables via a search window.
The protocol is normally used to perform local searches, but it can also be used to do the same with shared files on a remote host. An attacker could easily trick a victim into clicking a search-ms URI, and a method has been found to bypass the security warning that should be displayed by default.
- 0patch releases free fix for Follina vulnerability in Windows as Microsoft apparently can't be bothered
- Why has Microsoft still not fixed a weeks-old, actively exploited vulnerability affecting Windows 11 and more?
- Microsoft researchers discover serious security vulnerabilities in big-name Android apps
By combining a Microsoft Office vulnerability with this new zero-day, security researcher Matthew Hickey has shown that is possible to use a malicious Word file to open a remote search window. Hickey, the co-founder of Hacker House, produced a proof-of-concept illustrating how a victim could be fooled into installing malware.
As shared by Bleeping Computer, in Hickey's PoC, he shows how a Word file can be used to open a Windows Search window comprising results of malicious files hosted remotely. The remote share can be given an innocent or misleading name, thereby tricking a victim into thinking that malicious files are in fact important software updates.
A video shows an attack in progress, and in lieu of an official fix, Hickey has provided details of a workaround:
As Bleeping Computer points out, this is not the first time such an attack has been used, and it is unlikely to be the last:
Until Microsoft makes it impossible to launch URI handlers in Microsoft Office without user interaction, be prepared for a whole series of similar news articles as new exploits are released.
Microsoft has yet to comment on the matter.