Yet Another Zero Day (Sort Of) In Windows “Search URL” Handling – Naked Security
Just as the dust was beginning to settle on Follina’s oddly named vulnerability…
…came another zero-day Windows security flaw.
We’re not convinced this one is as dramatic or as dangerous as some of the titles seem to suggest (which is why we’ve carefully added the words “somehow” above), but we’re not surprised that researchers are currently looking for new ways to abuse the many types of proprietary URLs in Windows.
Revisited URL schemes
The Follina bug, now better known as CVE-2022-30190, relies on a strange and non-standard URL supported by the Windows operating system.
Basically, most URLs are structured to tell you, or the software you’re using, where to go, how to get there, and what to ask when you arrive.
For example, the URL…
…said, “Use the scheme called https: to connect to a server called
example.com then request a file called
Likewise, the URL…
…said, “Look for a file on the local computer called
thisone.txt in the directory
And the url…
…said, “Do an LDAP search via TCP port 8888 to the server
192.168.1.79and look for an object called
But Windows includes a long list of proprietary URL schemes (the letters up to the first colon), also called protocol handlerswhich can be used to trigger a series of non-standard activities simply by referencing the special URL.
The Follina bug, for example, took sneaky advantage of the URL scheme
ms-msdt:for system diagnostics.
ms-msdt: scheme, which we assume makes sense at the time it was implemented, even though it seems foolhardy now, says, “Run the Microsoft Support Diagnostic Tool”a program called MSDT.EXE which is intended to walk you through a series of basic steps when troubleshooting a misbehaving application.
But a bunch of cyber criminals have discovered that you can abuse the
ms-msdt: protocol handler by means of an embedded URL in a document or email opened by Outlook or Office.
With a thug
ms-msdt: URL, attackers can not only silently launch the MSDT.EXE application on your computer, but also feed it a bunch of rogue PowerShell script code to trick you into running whatever malware they want.
Instead of helping you troubleshoot your computer, crooks exploit MSDT to infect it instead.
URLs you’ve never heard of
ms-msdt: isn’t the only weird and wonderful Windows-specific URL scheme Microsoft has come up with.
There are many “helper” URL schemes, both standard and non-standard, connected to protocol handlers through entries in the Windows registry.
These registry keys mean that special actions must be triggered when someone tries to access the relevant URLs.
For example, as you know from experience, access to a
https: The URL usually launches your browser, if it’s not already running.
And, as we explained above, the visit of a
ms-msdt: The URL launches MSDT.EXE, although we suspect very few people knew about it until earlier this week. (We didn’t – we had never used or even seen such a URL before the Follina story broke.)
Well, a cybersecurity researcher known as @hackerfantastic discovered a Windows URL scheme called
search-ms: it could, like
ms-msdt:be misused for cyber criminal treason.
As we’ve said before, we’re not entirely convinced this is in what we’d call “zero-day exploit” territory, as it doesn’t directly lead to unexpected code execution. from a distance…
…but we accept that this is a close call and you may wish to prevent this special URL from working in the future.
The “URL search” trick
search-ms: The URLs will appear and perform a Windows search automatically, as if you had clicked the magnifying glass on the taskbar yourself, typed in your desired text, and waited for the result.
And by embedding this type of URL in a document such as a DOC or RTF file, much the same way the Follina trick was successful, so an attacker can trick you into opening a document and then automatically do appear an official search-list of search results in association with it:
Microsoft Office 2019 / Windows 10 / search-ms: URI handler exploit and post-exploit steps to SYSTEM. pic.twitter.com/r512uF3vQ4
— hackerfantastic.crypto (@hackerfantastic) June 1, 2022
Attackers who embed the special URL in the booby-trapped document can choose, in advance, what appears in the title of the search bar and which files to display.
The files displayed do not have to be locally stored files, such as
C:Usersduckmypreso.pptbut it can be remote files (UNC paths) such as
Of course, this doesn’t automatically launch the offending files, which is why we only consider this a “sort of” zero-day.
You still have to choose one of the files, double-click to run it, and respond to a security warning, as seen in the Twitter video above.
Nevertheless, this trick certainly puts you in much more danger than an old-fashioned email lure containing suspicious web links.
The window that appears is not a browser or an email client.
Instead, it looks like what you would see if you were doing a regular search on your local computer, and contains nothing resembling a traditional web link.
What to do?
- Never open files without double-checking their names. Don’t assume that files appearing in a Windows search dialog box are local files you can trust, especially if the search isn’t one you deliberately initiated yourself. When in doubt, let it out!
- Enable the Windows option to show file extensions. Unfortunately, Windows removes file extensions by default, so a file such as
risky.exejust looks like
risky. This means that a file deliberately renamed to
readme.txt.exeends up apparently being mislabeled as the innocent
readme.txt. Open File Explorer and go to See > File name extensions.
- Remember that remote filenames are not as obvious as web links. Windows lets you access files by drive letter or UNC path. A UNC path often refers to a server name on your own network, for example
MAINSRVbut can also refer to remote servers on the Internet, such as
198.51.100.42. Double-clicking on a remote file specified as a UNC path will not only download it in the background from the specified server, but also launch it automatically once it arrives.
- Consider deleting the registry entry
HKEY_CLASSES_ROOTsearch-ms. This is a similar mitigation to the one used for the Follina bug, where you remove the
ms-msdtentry instead. This breaks the magic link between clicking on a
search-ms:URL and search window activation. After deleting the registry entry,
search-ms:The URLs have no special meaning and therefore do not trigger anything.
- Watch this place. We won’t be surprised if more proprietary Windows URLs make cybersecurity news over the next few days or weeks, put into use for sneaky or even outright destructive purposes by cybercriminals, or simply discovered by researchers trying to pushing the limits of the system. as it is.