Researchers have discovered a vulnerability in Windows Search that will allow a search window containing remotely-hosted malware executables to be opened simply by launching a Word document. This is similar to CVE-2022-30190 as it abuses a URI protocol handler to perform an action without involvement of the user.
Using this new technique, a threat actor could craft a Microsoft Word document in such a way that it will automatically launch a “search-ms” command to open a Windows Search window. While most searches are performed against a local drive, threat actors could craft the search-ms command in such a way that it will instead open a Windows Search window pointed to a remote SMB share. This share can be named whatever the threat actor wants, such as “Important Updates,” to help further trick the user into thinking the malicious files within are required for some such purpose.
While this technique does require users to manually launch malicious executables, upon which they will also receive a warning about an untrusted remote file, it is likely to be added to the arsenal of threat actors creating sophisticated phishing campaigns.
While this vulnerability is not nearly as critical as CVE-2022-30190, it can still potentially be abused by crafty threat actors to trick users into installing malicious software. This exploit can be mitigated in a similar way as the ms-msdt exploit, instead deleting the search-ms Registry key located at the following location:
This can be done either via Group Policy to mitigate all systems at once, or via the reg.exe command manually on each system. Likewise, since the way to exploit this vulnerability is by utilizing a remote SMB share to host the malicious files, it is highly recommended to block outbound SMB traffic. This will not only help with this vulnerability, but also with a number of other security issues that stem from allowing SMB outside of the environment. Finally, it is recommended to have appropriate logging and monitoring on all systems in order to help detect anomalous behavior. Microsoft Word launching abnormal child processes or processes making abnormal network connections are just a few ways to help detect this vulnerability being exploited. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.