Just as the dust was starting to settle on the oddly named Follina vulnerability…
… added another zero-day vulnerability in Windows.
We’re not convinced this is quite as dramatic or as dangerous as some of the headlines suggest (which is why we carefully added the words “kinda” above), but we’re not surprised that researchers are currently looking for new ones Ways to abuse the many proprietary URL types in Windows.
URL schemes revised
In memory of.
That Folline Bug, now better known as CVE-2022-30190, depends on a strange, non-standard URL supported by the Windows operating system.
Broadly speaking, most URLs are structured to tell you or whatever software you’re using where to go, how to get there, and what to ask for when you get there.
For example the URL…
…says, “Use the scheme named https: to connect to a server named
example.com and then request a file named
Also the url…
…says, “Browse for a file on the local computer named
thisone.txt in the register
And the url…
…says, “Perform an LDAP lookup over TCP port 8888 to the server
192.168.1.79and look for an object called
But Windows comes with a long list of proprietary URL schemes (the letters up to the first colon), also known as protocol handlerwhich can be used to trigger a variety of non-standard activities simply by referencing the special URL.
For example, the Follina bug took advantage of the URL scheme
ms-msdt:related to system diagnostics.
ms-msdt: Scheme, which we assume made sense at the time it was implemented, although seems foolhardy now, says, “Run the Microsoft Support Diagnostic Tool”a program called MSDT.EXE designed to walk you through a basic series of steps in troubleshooting a faulty app.
But a bunch of cybercriminals have discovered that it can be misused
ms-msdt: Protocol handlers using a URL embed in a document or email that is opened by Outlook or Office.
With a villain
ms-msdt: URL attackers can not only silently launch the MSDT.EXE app on your computer, but also inject it with a series of deceptive PowerShell script code to force you to run malware of their choice.
Instead of helping you troubleshoot your computer, crooks take advantage of MSDT to infect it instead.
The URLs you’ve never heard of
It turns out that
ms-msdt: isn’t the only weird and wonderful Windows-specific URL scheme Microsoft has come up with.
There are numerous standard and non-standard URL helper schemes associated with protocol handlers through entries in the Windows registry.
These registry keys mean that special actions should be triggered when someone tries to access the relevant URLs.
For example, as you know from experience, access to a
https: URL usually launches your browser if it’s not already running.
And, as we explained above, visiting a
ms-msdt: URL launches MSDT.EXE, although we suspect very few people were aware of this prior to the start of this week. (We didn’t – we had never used or even seen a URL of this type before the Follina story broke.)
Well, a cybersecurity researcher known as @hackerfantastic has uncovered a Windows URL scheme called
search-ms: that could, how
ms-msdt:be misused for cybercriminal treason.
As we’ve said before, we’re not entirely convinced this is in the realm of what we would call a “zero-day exploit” as it doesn’t directly lead to unexpected remote code execution…
…but we accept that it’s getting close and that you may want to block that particular URL in the future.
The “Search URL” trick
search-ms: URLs are displayed and automatically perform a Windows search, as if you yourself had clicked the magnifying glass in the taskbar, entered text of your choice and waited for the result.
And by embedding this type of URL in a document, such as a DOC or RTF file, similar to the Follina trick, an attacker can trick you into opening a document and then automatically displaying an official search listing of search results associated with it:
Microsoft Office 2019/Windows 10/search-ms: URI handler exploitation and post-exploitation steps to SYSTEM. pic.twitter.com/r512uF3vQ4
— hackerfantastic.crypto (@hackerfantastic) June 1, 2022
The attackers who embed the special URL in the booby-trapped document can choose in advance what will appear in the search bar title and which files to display.
The files shown do not have to be locally stored files, such as
C:\Users\duck\mypreso.pptbut remote files (UNC paths) such as e.g
Of course, this doesn’t automatically start the offending files, so we only consider this to be “some kind of” zero-day.
You still have to select one of the files, double-click it and respond to a security warning, as you can see in the Twitter video above.
Still, this trick puts you at risk in a much more credible way than old-fashioned email decoy with suspicious-looking web links in it.
The window that opens is not a browser or email client.
Instead, it looks like you’re doing a regular search on your local computer and doesn’t contain anything that looks like a traditional web link.
What to do?
- Never open files without checking their names. Don’t assume that files that appear in a Windows search dialog are local files that you can trust, especially if you didn’t intentionally initiate the search yourself. If in doubt, leave it out!
- Enable the Windows option to show file extensions. Annoyingly, Windows suppresses file extensions by default, so a file like
risky.exeonly shows up as
risky. This means that a file is intentionally renamed
readme.txt.exeis apparently mislabeled as innocent looking
readme.txt. Open file manager and go to outlook > Filename Extensions.
- Keep in mind that removed filenames are not as obvious as web links. Windows allows you to access files by drive letter or by UNC path. A UNC path often refers to a server name on your own network, e.g
\\MAINSRVbut can just as well refer to remote servers on the internet, such as
\\198.51.100.42. Double-clicking on a remote file specified as a UNC path not only downloads it in the background from the specified server, but also starts it automatically as soon as it arrives.
- Consider deleting the registry entry
HKEY_CLASSES_ROOT\search-ms. This is a similar mitigation to the Follina bug, where you use the
ms-msdtentry instead. This breaks the magic connection between clicking a
search-ms:URL and activation of the search window. After deleting the registry entry
search-ms:URLs have no special meaning and therefore do not trigger anything.
- Watch this area. We won’t be surprised if other proprietary Windows URLs make the cybersecurity news in the next few days or weeks, being put into service by cybercriminals for sneaky or even outright destructive purposes, or simply being uncovered by researchers trying to push the system’s limits to expand as it stands.