Security News > 2022 > June > Yet another zero-day (sort of) in Windows “search URL” handling

The Follina bug, now more properly known as CVE-2022-30190, hinges on a weird, non-standard URL supported by the Windows operating system.

Windows includes a lengthy list of proprietary URL schemes, also known as protocol handlers, that can be used to trigger a range of non-standard activities simply by referencing the special URL. The Follina bug, for example, took devious advantage of the URL scheme ms-msdt:, which relates to system diagnostics.

There are numerous "Helper" URL schemes, standard and non-standard, hooked up to protocol handlers via entries in the Windows registry.

Simply put, search-ms: URLs will pop up and perform a Windows search automatically, as though you'd clicked on the magnifying glass in the task bar yourself, entered text of your choice, and waited for the result.

The attackers who embed the special URL in the booby-trapped document get to choose, in advance, what appears in the title of the search bar, and which files to display.

We won't be surprised if other proprietary Windows URLs make the cybersecurity news over the next few days or weeks, pressed into service for devious or even directly destructive purposes by cybercriminals, or simply just uncovered by researchers trying to push the limits of the system as it stands.

News URL

https://nakedsecurity.sophos.com/2022/06/02/yet-another-zero-day-sort-of-in-windows-search-url-handling/