Protocol vulnerability allows launching malicious Windows Search by just opening Word file

Following reports about Microsoft Support Diagnostic Tool vulnerabilities, researchers uncovered another zero-day that allows connection to remotely-hosted malware. The issue lies within a uniform resource identifier (URI) called "search-ms", responsible for allowing apps and links to launch searches on a computer.

Modern Windows versions, such as 11, 10, and 7, allow Windows Search to browse files locally and on remote hosts. The user can set a URI with the remote host address and the display name to appear on the title bar of the search window. Windows can launch personalized search windows using various methods, such as a web browser or Run (Win + R).

BleepingComputer says a bad actor can utilize the protocol handler to create, for example, a fake Windows Update directory and trick the user into clicking a malware disguised as a legitimate update. Still, execution requires an action from the target, and modern browsers, such as Microsoft Edge, have additional security warnings. This is where other flaws come into play.

As it turned out, one can combine the search-ms protocol handler with a new flaw in Microsoft Office OLEObject. It allows bypassing Protected View and launching URI protocol handlers without user interaction. @hackerfantastic demonstrated the idea by crafting a Word document that automatically opens a Windows Search window and connects to a remote SMB. Because search-ms allows renaming search windows, hackers can prepare "personalized" searches to mislead their targets.

Another proof-of-concept shows an RTF document that does the same. This time, it does not even require launching Word. A new search window launches when File Explorer creates a preview on the Preview Pane.

Users can protect their systems by doing what Microsoft recommends to mitigate the MSDT vulnerability. Removing the search-ms protocol handler from Windows Registry will help secure a system:

1. Press Win + R, type cmd and press Ctrl + Shift + Enter to run Command Prompt as Administrator.
2. Type reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg and press Enter to create a backup of the key.
3. Type reg delete HKEY_CLASSES_ROOT\search-ms /f and press Enter to remove the key from Windows Registry.

Microsoft is working on fixing the vulnerabilities in protocol handlers and related Windows features. Still, experts claim hackers will find other handlers to exploit, and Microsoft should focus on making it impossible to launch URL handlers in the Office apps without user interaction. A similar situation happened last year with PrintNightmare when Microsoft fixed one component just for researchers to uncover other vulnerabilities.