Following on from the Follina security flaw, another Windows zero-day vulnerability has come to light. Dubbed SearchNightmare, the issue allows the search-ms URI protocol handler to be used to launch remotely hosted malware-ridden executables via a search window.
The protocol is normally used to perform local searches, but it can also be used to do the same with shared files on a remote host. An attacker could easily trick a victim into clicking a search-ms URI, and a method has been found to bypass the security warning that should be displayed by default.
By combining a Microsoft Office vulnerability with this new zero-day, security researcher Matthew Hickey has shown that is possible to use a malicious Word file to open a remote search window. Hickey, he co-founder of Hacker House, produced a proof-of-concept illustrating how a victim could be fooled into installing malware.
As shared by Bleeping Computer, in Hickey’s PoC, shows how a Word file can be used to open a Windows Search window comprising results of malicious files hosted remotely. The remote share can be given an innocent or misleading name, thereby tricking a victim into thinking that malicious files are in fact important software updates.
A video shows an attack in progress, and in lieu of an official fix, Hickey has provided details of a workaround:
Steps for mitigation:
1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOTsearch-ms filename“
3. Execute command “reg delete HKEY_CLASSES_ROOTsearch-ms /f”. pic.twitter.com/NYDp3txiIb
— hackerfantastic.crypto (@hackerfantastic) June 1, 2022
As Bleeping Computer points out, this is not the first time such an attack has been used, and it is unlikely to be the last:
Until Microsoft makes it impossible to launch URI handlers in Microsoft Office without user interaction, be prepared for a whole series of similar news articles as new exploits are released.
Microsoft has yet to comment on the matter.
Image credit: Narith Thongphasuk38 / Shutterstock