Just as dust began to settle on the strangely named Follina’s burrow…
… came along another vulnerability for Windows.
We’re not convinced that this title is quite as dramatic or dangerous as some of the titles seem to imply (which is why we carefully added the words “kind of” above), but we’re not surprised that researchers are currently looking for new ways to misuse many types of headlines. Property URL in Windows.
URL schemes revisited
to a summary.
The Follina The bug, now known as CVE-2022-30190, stops at a strange, non-standard URL supported by Windows.
Loosely, most URLs are organized so that they tell you, or tell you which software to use, where to go, how to get there, and what to ask for when you arrive.
For example, the URL…
… Says , Use the schema called https: to connect to a server called
example.com Then ask for a file called
Likewise, the URL…
… Says , Find a file on your local computer called
thisone.txt in the guide
And the URL…
… Says , Do an LDAP lookup over TCP port 8888 to the server
192.168.1.79and search for an object called
But Windows includes a long list of special URL schemes (characters up to the first colon), also known as protocol handlersit can be used to run a set of non-standard activities simply by referring to a private URL.
Follina’s bug took advantage of, for example, the spoofed URL system feature
ms-msdt:which are related to system diagnostics.
ms-msdt: The scheme, which we suppose made sense at the time it was implemented though it seems reckless now, says, Run the Microsoft Support Diagnostic Toola program called MSDT.EXE that aims to walk you through a series of basic steps when troubleshooting an application that is behaving incorrectly.
But a group of cybercriminals discovered that you can abuse
ms-msdt: Protocol handler by embedding a URL within a document or email that is opened by Outlook or Office.
with the crook
ms-msdt: URL, attackers can not only silently run the MSDT.EXE application on your computer, but they can also feed it with a set of deceptive PowerShell scripts to force you to run malware of their choice.
Instead of helping you troubleshoot your computer, scammers take advantage of MSDT to infect it instead.
URLs You’ve Never Heard Of
It turns out that
ms-msdt: It’s not the only weird and wonderful Windows URL system that Microsoft has dreamed of.
There are many “help” URL schemes, both standard and non-standard, that are linked to protocol handlers via entries in the Windows registry.
These registry keys indicate that special actions should be triggered when someone tries to access the relevant URLs.
For example, as you know from experience, accessing a file
https: The URL will usually launch your browser, if it isn’t already.
As we explained above, visiting
ms-msdt: The URL runs MSDT.EXE, although we suspect very few people knew about it before the start of this week. (We didn’t – we hadn’t used or even seen a URL of this type before the Follina story broke.)
Well, a cyber security researcher is known as Tweet embed Detection system URL for Windows called
search-ms: can, like
ms-msdt:is being misused in the treachery of cybercriminals.
As we said earlier, we’re not entirely convinced that this falls into what we call a “zero-day exploit” territory, because it doesn’t directly lead to unexpected remote code execution…
…but we accept that it’s a close call, and that you may want to prevent this private URL from working in the future.
‘search URL’ trick
search-ms: URLs will appear and perform a search in Windows automatically, as if you had clicked the magnifying glass in the taskbar yourself, entered text of your choice, and waited for the result.
And by including this type of URL in a document such as a DOC or RTF file, in the same way that Follina’s trick was pulled, an attacker could thus tempt you to open a document, and then appear an automatically-responsible search in the list of associated search results:
Microsoft Office 2019 / Windows 10 / search-ms: exploit URI handler and post-exploit steps for the system. pic.twitter.com/r512uF3vQ4
– hackerfantastic.crypto (hackerfantastic) June 1, 2022
Attackers who embed the private URL in the booby-trapped document have the right to pre-select what appears in the search bar title and which files to display.
The files that appear should not be locally stored files like
C:\Users\duck\mypreso.pptbut can be remote files (UNC paths) like
Of course, this does not automatically trigger the offending files, which is why we consider this a “kind” of just zero days.
You still need to choose a file, double-click to execute it and respond to a security warning, as you can see in the Twitter video above.
However, this ploy definitely puts you in harm’s way more believably than the lure of an old email containing suspicious web links.
The popup is not a browser or email client.
Instead, it looks just like what you’d see if you did a regular search on your local computer, and it doesn’t have anything like a traditional web link.
What do I do?
- Never open files without checking their names again. Don’t assume that the files that appear in the Windows search dialog are local files that you can trust, especially if you haven’t deliberately started the search yourself. If in doubt, leave it!
- Turn on the Windows option to show file extensions. Annoyingly, Windows turns off file extensions by default, so a file like
risky.exeIt just appears like
risky. This means that the file was intentionally renamed to
readme.txt.exeIt ends up seemingly misspelled as innocent looking
readme.txt. to open File Explorer and go to Opinion > File Name Extensions.
- Remember that remote file names are not as clear as web links. Windows allows you to access files by a drive letter or UNC path. A UNC path often refers to the name of a server on your own network, for example
\\MAINSRVbut can also refer to remote servers on the Internet, such as
\\198.51.100.42. Double-clicking on a remote file specified as a UNC path will not only download it in the background from the specified server, but will also trigger it automatically as soon as it arrives.
- Consider deleting the registry entry
HKEY_CLASSES_ROOT\search-ms. This is a mitigation similar to that used in the Follina error, where you delete a file
ms-msdtLog in instead. This breaks the magical connection between clicking on a file
search-ms:URL and activate the search window. After deleting the registry entry,
search-ms:URLs don’t have a special meaning, so they don’t lead to anything.
- See this space. We wouldn’t be surprised if other Windows URLs make cybersecurity news in the next few days or weeks, get pushed into service for devious purposes or even outright destructive by cybercriminals, or simply discovered by researchers trying to bypass the system as it stands.