In addition to “Follina,” another new Windows zero-day vulnerability has been found to use the Search functionality to automatically open search windows that contain remotely-hosted malware executables, just by opening a Word document. Windows supports a URI protocol handler called “search-ms” which allows applications and HTML links to launch customized searches on a Windows device.
While most Windows searches will simply look on the local device’s index, it is also possible to force Windows Search to query remote indexes. Malicious threat actors could setup remote indexes with a configuration to masquerade as legitimate local/production shares. Malware of any sort can then be placed in a format to deceive victims, using files and signatures that wouldn’t be detected by local anti-virus signatures and behavioral detections.
Until Microsoft disables the functionality for Microsoft Office to launch URI handlers without user interaction, administrators and security teams should be prepared for these types of vulnerabilities, as well as similar attack vectors as new exploits are discovered and released. At this time, Microsoft’s primary recommendation for dealing with these vulnerabilities is for “users to practice safe computing habits and to only open files that come from trusted sources,” according to a statement to Bleepingcomputer.
The definition of “opening files,” in this instance, should also include the rather innocuous act of viewing a Microsoft Word file within a preview pane. For more information, please visit: https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/
