Analysis and mitigation of the vulnerability by security researchers will reveal some more findings.
The text here is a quick sum up and description. The protocol handler could still be entered in other registry branches (HKCU, HKLM). As also addressed in the post Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190), removing the key is not enough to fix the vulnerability. The sequence of steps remove the entry for the search-ms URI protocol trader from the registry. run the command "reg delete HKEY_CLASSES_ROOT\search-ms /f". to back up the registry key, run the command "reg export HKEY_CLASSES_ROOT\search-ms filename".ģ. run the command prompt as an administrator.Ģ. The hacker gives his steps to mitigate the attack path in the following tweet:ġ.
Although the user would then have to click the link and confirm the displayed warning when opening the search (see the image in the following tweet). Then the malware could be spread remotely through the Windows search windows opened by phishing attacks/malicious Word documents.
The campaigns involve hosting Windows shares publicly. Threat actors can use this method to create sophisticated phishing campaigns. The links could then be used to set up a remote Windows share to host malware disguised as security updates. An attacker could use this approach for malicious actions and, for example, link alleged security updates via search-ms-URI in phishing emails. This works in Windows 7 SP1 up to Windows 11. Search-ms:query=proc&crumb=location:%5C%&displayname=Searching%20Sysinternals To search this remote share and list only files that match a specific name, you could use the following "search-ms" URI: This Sysinternals tools can be mounted as a network share via the following command from to run utilities. The colleagues from Bleeping Computer point out here that external URLs can also be included in the search. Thus, the exploit can be used to open the Windows search window or list files on remote shares by opening a Word document. The search-ms URI protocol handler allows applications and HTML links to launch custom searches on a device. This is because Matthew Hickey has used a modified exploit that chains the Microsoft Office OLEObject vulnerability to the Windows search-ms protocol handler. This is effectively a similar attack to one via the Windows ms-msdt protocol (Follina vulnerability CVE-2022-30190). The new zero-day vulnerability in Windows Search can be used to automatically open a search window where remote malware can be executed by launching a Word document. He was able to call the search-ms: URI handler on Windows 10 using Microsoft Office 2019 to gain SYSTEM privileges. On Facebook, I was alerted to the following tweet from hackerfantastic.crypto in a private message.
0 kommentar(er)
