Description
By launching a Word document, a new Windows Search zero-day vulnerability can be utilized to automatically open a search window containing remotely hosted malware executables.
Summary
Given that Windows includes a URI protocol handler called search-ms,” which allows apps and HTML links to launch customized searches on a device, the security flaw can be exploited.
How it works
While most Windows searches will look in the index on the local device, you may configure Windows Search to query file shares on remote hosts and give the search box a custom title. Search zero-day can be exploited to automatically open a search window with remotely hosted malware using a weaponized Word document. This was made possible by the way Windows handles the “search-ms” URI protocol handler.
Remediation
In order to mitigate the threat, remove the search-ms protocol handler from the Windows Registry. To do so, open CMD as Administrator and type “reg delete HKEY CLASSES ROOTsearch-ms /f” at the command prompt.
The Guyana National CIRT recommends that users and administrators review this update and apply it where necessary.
PDF Download: A new Windows Search zero-day found in Microsoft.pdf
References
Abrams, L. (2022, June 2). New Windows Search zero-day added to Microsoft protocol nightmare. BleepingComputer. https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/
FadilpaI, S. (2022, June 2). A new Windows Search zero-day is giving Microsoft another security headache. TechRadar. https://www.techradar.com/news/a-new-windows-search-zero-day-is-giving-microsoft-another-security-headache