New Articles
Windows 11 users have discovered a funny bug that benefits older computers....
It's easy to turn off the transmission — we tell you how to do it....
Such photos have been taken by models and social media users for a long time,...
A famous musician? A schoolteacher? Mom? Tell us about the people you looked up...
Thanks to the instructions of Artyom Kozoriz, you can cope no worse than a...
5 interesting exercises that will help you develop flexibility....
From "Starship Troopers" and "The Matrix" to...
The return of Garfield and Mufasa, the new Transformers and the Lord of the...
Trickben.com » Windows » A vulnerability has been discovered in Windows that is activated when opening Word documents

A vulnerability has been discovered in Windows that is activated when opening Word documents

03 May 2023, 06:41, parser
0 comments    0 Show

Researchers have discovered a new zero-day vulnerability that allows you to remotely run malware. The problem turned out to be a universal resource identifier (URI) called search-ms, which allows applications and links to run a search on the computer.

Modern versions of the system, including Windows 11, 10 and 7, allow Windows Search to view files locally and on remote nodes. An attacker can use a protocol handler to create, for example, a fake Windows Update directory and trick the user into opening malware disguised as an update. However, modern antiviruses usually react to such files and warn the user, so there is little chance of getting a click in this way. But scammers have discovered other ways to exploit this vulnerability.

Microsoft Edge warning about an attempt to launch URI /Bleeping Computer

As it turned out, the search-ms protocol handler can be combined with a vulnerability in Microsoft Office OLEObject, discovered even earlier. It allows you to bypass browsing protection and run URI protocol handlers without user interaction.

A demonstration of this method appeared on YouTube: an MS Word file was used to launch another application, in this case a calculator. Since search-ms allows you to change the name of the search box, hackers can disguise the interface to mislead their victim.

This can also be achieved with RTF documents. In this case, you don't even need to run Word. A new search window opens when the file explorer forms a preview of the file in the preview panel.

Microsoft has instructions on how to fix this vulnerability. Removing the search-ms protocol handler from the Windows registry will help protect the system. To do this:

  • Press Win + R, type cmd and press Ctrl+ Shift + Enter to launch the Command Prompt with administrator rights.
  • Type reg export:search-ms search-ms.reg and press Enter to create a backup copy of the key.
  • After that, type reg delete-search-ms /f and press Enter to remove the key from the registry.
Microsoft is already working on fixing vulnerabilities in protocol handlers and related Windows features. However, experts argue that hackers will find other handlers for exploits, and Microsoft should instead prohibit the launch of URL handlers in Office applications without a user request.

Read also 🧐
  • A hole in Microsoft Defender allows attackers to easily bypass Windows protection
  • Gmail is spreading a virus under the guise of ordinary documents
  • A serious vulnerability has been discovered in the 7-Zip archiver for Windows
Comments
reload, if the code cannot be seen