Windows Vulnerability Activates When Opening Word Documents

Miscellaneous   /   by admin   /   June 02, 2022

In fact, this is an exploit of two vulnerabilities at the same time. Microsoft hasn't closed the security hole yet, but it's told you how to protect your computer.

Researchers discovered a new one zero-day vulnerability that allows remote execution of malware. The problem was a Uniform Resource Identifier (URI) called search-ms, which allows applications and links to run searches on the computer.

Modern versions of the system, including Windows 11, 10, and 7, allow Windows Search to browse files locally and on remote hosts. An attacker can use a protocol handler to create, for example, a fake Center directory Windows updates and trick the user into opening malware disguised as update. However, modern ones usually react to such files and warn the user, so there is little chance of getting a click in this way. But scammers have discovered other ways to exploit this vulnerability.

Microsoft Edge warning about trying to launch URI / Bleeping Computer

As it turned out, the search-ms protocol handler can be combined with a vulnerability in Microsoft Office OLEObject, discovered even earlier. It allows you to bypass browsing protection and run URI protocol handlers without user interaction.

instagram viewer

A demonstration of this method appeared on YouTube: an MS Word file was used to launch another application - in this case, a calculator. Because search-ms allows you to change the name of the search box, hackers can mask the interface to mislead their victims.

Similar can be achieved and with RTF documents. In this case, you don't even need to start Word. A new search window is launched when Explorer renders a preview of a file in the preview pane.

Microsoft has instructions on how to fix this vulnerability. Removing the search-ms protocol handler from the Windows registry will help protect the system. For this:

  • Press Win + R, type cmd and press Ctrl + Shift + Enter to launch Command Prompt with administrator privileges.
  • Enter reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg and press Enter to back up the key.
  • After that enter reg delete HKEY_CLASSES_ROOT\search-ms /f and press Enter to remove the key from the registry.

Microsoft already works on fixing vulnerabilities in protocol handlers and related Windows functions. However, experts say hackers will find other exploit handlers, and Microsoft should instead prevent URL handlers from running in Office applications without prompting user.

Read also🧐

  • A hole in Microsoft Defender allows attackers to easily bypass Windows protection
  • Gmail is spreading a virus under the guise of regular documents
  • A serious vulnerability was found in the 7-Zip archiver for Windows

Best deals of the week: discounts from AliExpress, L'Etoile, GAP and other stores

Tags cloud
Rating
0
Views
0
Comments
YOU MIGHT ALSO LIKE