Following the recent Follina zero-day, a new Windows Search vulnerability has been discovered that can be used to easily distribute malware to unsuspecting users.
In the same way that Follina leverages the proprietary Windows URL “ms-msdt:” to open the Microsoft Windows Support Diagnostic Tool (MSDT), this exploit uses “search-ms:” to open Windows Search.
As reported by BleepingComputer (opens in new tab) and first discovered by security researcher hackerfantastic (opens in new tab), a weaponized Word document can be used to automatically launch “search-ms:” and display a Windows Search window on a user’s computer. However, in addition to local files, Windows Search can also display remote files hosted on another system.
This is where social engineering comes into play as an attacker could distribute a malicious Word file that uses this exploit to show malware in a Windows Search window. An unsuspecting user may click on one of these remote files especially if the phishing email used to deliver the initial Word document convinces them that they need to update or patch their software.
To make matters worse, the remote server containing these files can be named whatever an attacker wants, including “Important Updates,” which could convince a user to click on them.
Exploiting Windows-specific URLs
While most Windows users likely aren’t aware of this, there are actually many different Windows-specific URL schemes.
Both “ms-msdt:” and “search-ms:” are just two examples though there are others that are hooked up to protocol handlers via entries in the Windows Registry. These registry keys indicate that special actions should be triggered when a user tries to access one of these URLs.
For instance, as most people know, clicking on a URL that begins with “https:” will launch your default browser if it isn’t already open. These Windows-specific URLs work in much the same way but do so in your operating system.
Now that “ms-msdt” is being actively used in attacks by cybercriminals, it likely won’t take long for them to begin leveraging “search-ms” in their future campaigns.
How to protect yourself from attacks using this exploit
Although this new vulnerability isn’t exactly a zero-day exploit since it doesn’t directly lead to unexpected remote code execution as Sophos points out in a new blog post (opens in new tab), it’s still concerning enough that many users and businesses will likely want to take action to prevent falling victim to any attacks that leverage it. Fortunately, there are a few steps you can take to do so.
In the same way that Microsoft’s Follina workaround (opens in new tab) involves deleting the registry entry for “ms-msdt:”, you can also do the same thing for “search-ms:”. You’ll first need to run Command Prompt as Administrator to get started. Then you should use the command reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg to back up your system’s registry key before executing the command reg delete HKEY_CLASSES_ROOT\search-ms /f. Doing so will break the connection that activates Windows Search when you type “search-ms:” into your address bar.
If you’re unable to do this, Sophos has some other tips that can help you avoid falling victim to any attacks exploiting this vulnerability. First off, you should never open any files without double-checking their file names as well as avoid assuming that files which show up in Windows Search are local files.
At the same time, remote file names aren’t as obvious as web links since Windows allows users to access files by drive letter or by UNC path. A UNC path often refers to a server name on your home network but can also refer to remote servers on the internet. Once you double click on a remote file specified as a UNC path, it will not only be downloaded but will also launch automatically once the download is complete.