Security News > 2022 > June > Yet another zero-day (sort of) in Windows “search URL” handling

Yet another zero-day (sort of) in Windows “search URL” handling
2022-06-02 19:39

The Follina bug, now more properly known as CVE-2022-30190, hinges on a weird, non-standard URL supported by the Windows operating system.

Windows includes a lengthy list of proprietary URL schemes, also known as protocol handlers, that can be used to trigger a range of non-standard activities simply by referencing the special URL. The Follina bug, for example, took devious advantage of the URL scheme ms-msdt:, which relates to system diagnostics.

There are numerous "Helper" URL schemes, standard and non-standard, hooked up to protocol handlers via entries in the Windows registry.

Simply put, search-ms: URLs will pop up and perform a Windows search automatically, as though you'd clicked on the magnifying glass in the task bar yourself, entered text of your choice, and waited for the result.

The attackers who embed the special URL in the booby-trapped document get to choose, in advance, what appears in the title of the search bar, and which files to display.

We won't be surprised if other proprietary Windows URLs make the cybersecurity news over the next few days or weeks, pressed into service for devious or even directly destructive purposes by cybercriminals, or simply just uncovered by researchers trying to push the limits of the system as it stands.


News URL

https://nakedsecurity.sophos.com/2022/06/02/yet-another-zero-day-sort-of-in-windows-search-url-handling/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-06-01 CVE-2022-30190 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Microsoft products
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.
local
low complexity
microsoft CWE-610
7.8