A new Windows Search zero-day found in Microsoft (8th June 2022)

Ref# AL2022_36 | Date: Jun 8th 2022


By launching a Word document, a new Windows Search zero-day vulnerability can be utilized to automatically open a search window containing remotely hosted malware executables. 


Given that Windows includes a URI protocol handler called search-ms,” which allows apps and HTML links to launch customized searches on a device, the security flaw can be exploited.  

How it works 

While most Windows searches will look in the index on the local device, you may configure Windows Search to query file shares on remote hosts and give the search box a custom title. Search zero-day can be exploited to automatically open a search window with remotely hosted malware using a weaponized Word document. This was made possible by the way Windows handles the “search-ms” URI protocol handler. 


In order to mitigate the threat, remove the search-ms protocol handler from the Windows Registry. To do so, open CMD as Administrator and type “reg delete HKEY CLASSES ROOTsearch-ms /f” at the command prompt. 

The Guyana National CIRT recommends that users and administrators review this update and apply it where necessary.     

PDF Download: A new Windows Search zero-day found in Microsoft.pdf