Researchers have discovered a new zero-day vulnerability that allows you to remotely run malware. The problem turned out to be a universal resource identifier (URI) called search-ms, which allows applications and links to run a search on the computer.
Modern versions of the system, including Windows 11, 10 and 7, allow Windows Search to view files locally and on remote nodes. An attacker can use a protocol handler to create, for example, a fake Windows Update directory and trick the user into opening malware disguised as an update. However, modern antiviruses usually react to such files and warn the user, so there is little chance of getting a click in this way. But scammers have discovered other ways to exploit this vulnerability.
As it turned out, the search-ms protocol handler can be combined with a vulnerability in Microsoft Office OLEObject, discovered even earlier. It allows you to bypass browsing protection and run URI protocol handlers without user interaction.
A demonstration of this method appeared on YouTube: an MS Word file was used to launch another application, in this case a calculator. Since search-ms allows you to change the name of the search box, hackers can disguise the interface to mislead their victim.
This can also be achieved with RTF documents. In this case, you don't even need to run Word. A new search window opens when the file explorer forms a preview of the file in the preview panel.
Microsoft has instructions on how to fix this vulnerability. Removing the search-ms protocol handler from the Windows registry will help protect the system. To do this:
reg export:search-ms search-ms.reg
and press Enter to create a backup copy of the key.reg delete-search-ms /f
and press Enter to remove the key from the registry.