Security News > 2022 > June > Yet another zero-day (sort of) in Windows “search URL” handling
The Follina bug, now more properly known as CVE-2022-30190, hinges on a weird, non-standard URL supported by the Windows operating system.
Windows includes a lengthy list of proprietary URL schemes, also known as protocol handlers, that can be used to trigger a range of non-standard activities simply by referencing the special URL. The Follina bug, for example, took devious advantage of the URL scheme ms-msdt:, which relates to system diagnostics.
There are numerous "Helper" URL schemes, standard and non-standard, hooked up to protocol handlers via entries in the Windows registry.
Simply put, search-ms: URLs will pop up and perform a Windows search automatically, as though you'd clicked on the magnifying glass in the task bar yourself, entered text of your choice, and waited for the result.
The attackers who embed the special URL in the booby-trapped document get to choose, in advance, what appears in the title of the search bar, and which files to display.
We won't be surprised if other proprietary Windows URLs make the cybersecurity news over the next few days or weeks, pressed into service for devious or even directly destructive purposes by cybercriminals, or simply just uncovered by researchers trying to push the limits of the system as it stands.
News URL
Related news
- Microsoft fixes Windows Smart App Control zero-day exploited since 2018 (source)
- Windows vulnerability abused braille “spaces” in zero-day attacks (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- New Windows Themes zero-day gets free, unofficial patches (source)
- Windows Themes zero-day bug exposes users to NTLM credential theft (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-01 | CVE-2022-30190 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Microsoft products A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. | 7.8 |