In fact, this is an exploit of two vulnerabilities at the same time. Microsoft hasn't closed the security hole yet, but it's told you how to protect your computer. aktiviruetsja-pri-otkrytii-dokumentov-word-6361135.jpg” alt=”Windows has detected a vulnerability that activates when opening Word documents” />
Daria Gromova
Researchers have discovered a single new zero-day vulnerability that allows remote execution of malicious programs. The problem was a Uniform Resource Identifier (URI) called search-ms, which allows applications and links to run searches on the computer.
Modern versions of the system, including Windows 11, 10, and 7, allow Windows Search to browse files locally and on remote hosts. An attacker could use a protocol handler to create, for example, a fake Windows Update catalog and trick the user into opening malware disguised as an update. However, modern antiviruses usually react to such files and warn the user, so there is little chance of getting a click in this way. But scammers have also found other ways to exploit this vulnerability. pri-otkrytii-dokumentov-word-d6b62fa.jpg” alt=”Windows has detected a vulnerability that activates when opening Word documents” />
As it turned out, the search-ms protocol handler can be combined with a vulnerability in Microsoft Office OLEObject, discovered even earlier. It allows you to bypass browsing protection and run URI protocol handlers without user interaction.
YouTube has a demonstration of how this method works: an MS Word file was used to launch another application, in this case a calculator. Since search-ms allows you to change the name of the search box, hackers can mask the interface to mislead their victim.
The same can be achieved with RTF documents. In this case, you don't even need to start Word. A new search window is opened when File Explorer renders a preview of a file in the preview pane.
Microsoft has a fix for this vulnerability. Removing the search-ms protocol handler from the Windows registry will help protect the system. To do this:
- Press Win + R, type cmd and press Ctrl + Shift + Enter to launch Command Prompt with administrative privileges.
- Type reg export HKEY_CLASSES_ROOTsearch- ms search-ms.reg and press Enter to back up the key.
- After that, type reg delete HKEY_CLASSES_ROOTsearch-ms /f and press Enter to remove the key from the registry.
< /ul>
Microsoft is already working on fixing vulnerabilities in protocol handlers and related Windows features. However, experts say that hackers will find other exploit handlers, and Microsoft should instead prevent URL handlers from running in Office applications without prompting the user.