Just as the dust began to accumulate on the strangely named Folina’s weakness …
With that comes another zero-day Windows security hole.
Type, type.
While we’re not sure if this is quite dramatic or as dangerous as some of the headlines seem to be (for which we’ve carefully added the word “pick” above), we’re not surprised that researchers are currently looking for new ways to misuse multiple proprietary URLs in Windows.
The URL scheme has been revised
In short.
The Folina The bug, now more accurately known as CVE-2022-30190, relies on a strange, non-standard URL that is supported by the Windows operating system.
To put it bluntly, most URLs are structured to tell you, or the software you are using, where to go, how to get there, and what you want when you arrive.
For example, URL.
https://example.com/ask/forthis.item
He says, “Use the scheme to connect to a server named https: example.com And then call request a file /ask/forthis.item“
Similarly, the URL.
file:///Users/duck/thisone.txt
He says, “Find a file on a local computer called ৷ thisone.txt In the directory /Users/duck“.
And URL.
ldap://192.169.1.79:8888/Runthis
He says, Perform an LDAP lookup on the server via TCP port 8888 192.168.1.79And search for an object called Runthis.
But Windows includes a long list of proprietary URL schemes (up to the first colon letter), also known as Protocol HandlerWhich can only be used to trigger a range of non-standard activity by specifying specific URLs.
Folina Bug, for example, has taken advantage of the misleading URL scheme ms-msdt:Which is related to system diagnostics.
This ms-msdt: The scheme, which we assumed was implemented when it seems foolish now, says, “Run Microsoft Support Diagnostic Tool”A program called MSDT.EXE that takes you through a series of basic steps when troubleshooting an abusive app.
But a bunch of cyber criminals have discovered that you can abuse ms-msdt: Protocol handler by embedding the URL inside a document or email opened by Outlook or Office.
With a villain ms-msdt: URL: Attackers can not only silently launch the MSDT.EXE app on your computer, but also give it a bunch of rogue PowerShell script code to force you to run the malware of their choice.
Instead of helping to fix your computer’s problems, rogues infect MSDT instead.
7 URLs you have never heard of
It turns out that ms-msdt: Not the only weird and wonderful Windows-specific URL scheme Microsoft has dreamed of.
The Windows registry contains numerous “helpful” URL schemes, standard and non-standard, associated with protocol handlers through entries.
These registry keys indicate that special actions should be triggered when someone tries to access relevant URLs.
For example, you know from experience, an access https: The URL usually fires up your browser, if not already launched.
And, as we explained above, an inspection ms-msdt: The URL blew up MSDT.EXE, although we suspect that very few people knew about it before the start of this week. (We didn’t – we never used or even saw this kind of URL before the Folina story broke.)
Well, known as a cybersecurity researcher HackerFantastic Has unveiled a Windows URL scheme called search-ms: Like that could ms-msdt:Cybercriminals will be abused for treason.
As we’ve said before, we’re not entirely sure what we call the “zero-day exploitation” zone, as it doesn’t directly lead to unexpected remote code execution …
But we acknowledge that this is an intimate call, and you may want to block this particular URL from working in the future.
“Search URL” strategy
Simply put, search-ms: URLs will pop up and automatically perform a Windows search, as if you were manually clicking on the magnifying glass in the taskbar, entering your favorite text, and waiting for results.
And by embedding such URLs into a document such as a DOC or RTF file, much like the Falina trick was blocked, an attacker might entice you to open a document and then automatically pop up an official – matching it. Searching for search results list:
Microsoft Office 2019 / Windows 10 / search-ms: Exploitation of URI Handlers and Post-Exploitation Steps on the System. pic.twitter.com/r512uF3vQ4
– hackerfantastic.crypto (@hackerfantastic) June 1, 2022
Attackers who embed specific URLs in booby-trapped documents can choose in advance what will appear in the title of the search bar and which files to display.
Files that are displayed do not have to be locally stored files C:\Users\duck\mypreso.pptBut can be remote files (UNC paths) e.g. \\live.sysinternals.com\psshutdown.exe Or \\example.org\dodgy.exe.
Of course, this does not automatically trigger the offending files, which is why we consider this to be just a “pick” zero-day.
You still have to choose between the files, double-click to play it, and respond to a security warning, as you saw in the Twitter video above.
Yet, this strategy has certainly done you a lot more credible harm than the temptation of an old-school email with suspicious-looking web links.
The window that pops up is not a browser or email client.
Instead, if you search regularly on your local computer, it looks exactly like what you see, and does not contain anything that looks like a traditional web link.
What do you do?
- Never open a file without double checking their name. Do not assume that the curved files in a Windows search dialog are local files that you can trust, especially if the search is not something you started intentionally. If in doubt, leave it!
- Turn on the Windows option to show file extensions. Annoyingly, Windows suppresses file extensions by default, allowing a file such as
risky.exeOnly as shownrisky. This means that a file has been intentionally namedreadme.txt.exeClearly the wrong labeling ends up being innocent-lookingreadme.txt. Open File Explorer And go See > File name extension. - Note that remote file names are not as clear as web links Windows lets you access files via drive letter or UNC path. A UNC path often specifies the name of a server on your own network, e.g.
\\MAINSRVBut equally well can refer to remote servers on the Internet, e.g.\\files.example.comOr\\198.51.100.42. Double-clicking on a remote file specified as a UNC path will not only download it to the background from the specified server, it will automatically turn on when it arrives. - Consider deleting the registry entry
HKEY_CLASSES_ROOT\search-ms. This is a similar mitigation used for Folina bugs, where you will deletems-msdtEnter instead. It breaks the magic connection in one clicksearch-ms:URL and search window activation. After deleting the registry entry,search-ms:URLs have no special meaning and therefore do not trigger anything. - Check out this place. We wouldn’t be surprised if other proprietary Windows URLs generate cyber security news in the next few days or weeks, being pressured into service by cybercriminals for misleading or even directly destructive purposes, or exposed by researchers trying to push system limitations. As it is.
