Just when the dust settled on this weirdly named Follina exploit…
…and with it another zero-day Windows security breach.
We don’t believe this will be as dramatic or dangerous as some of the headlines suggest (which is why we’ve carefully added the word “sort of” above), but we’re not surprised that researchers are currently looking to find abuse in Windows New methods for many proprietary URL types.
Revisiting URL Schemes
This Forina The bug, now more appropriately called CVE-2022-30190, depends on a strange, non-standard URL supported by the Windows operating system.
Roughly speaking, most URLs are structured so they tell you or the software you’re using, where to go, how to get there, and what to ask when you get there.
For example, the URL…
……Say, “Use a scheme called https: to connect to a
example.com then request a
Again, the URL…
……Say, “Find the file named on the local computer
thisone.txt in the directory
And the URL…
……Say, “LDAP lookup for server over TCP port 8888
192.168.1.79and search for a
But Windows includes a long list of proprietary URL schemes (letters up to the first colon character), also known as protocol handlerwhich can be used to trigger a series of non-standard activities by simply referencing a special URL.
For example, the Follina bug makes clever use of URL schemes
ms-msdt:which is related to system diagnostics.
ms-msdt: plan, we think it makes sense when implemented, even if it seems reckless now, saying, “Run the Microsoft Support Diagnostic Tool”a program called MSDT.EXE designed to walk you through a series of basic steps when troubleshooting a misbehaving application.
But a group of cybercriminals found out that you can abuse
ms-msdt: Protocol handler, via a URL embedded in a document or email opened in Outlook or Office.
ms-msdt: URL, attackers can not only silently launch the MSDT.EXE application on your computer, but also feed it a bunch of rogue PowerShell script code to force you to run malware of their choice.
Instead of helping you troubleshoot your computer, the crooks use MSDT to infect it.
URLs you’ve never heard of
it turns out
ms-msdt: Not the only weird and wonderful Windows-specific URL scheme Microsoft has dreamed of.
There are a number of “help” URL schemes, standard and non-standard, that connect to protocol handlers through entries in the Windows registry.
These registry keys indicate that special actions should be triggered when someone tries to access the relevant URL.
For example, as a rule of thumb, you can access
https: The URL will usually launch your browser if it is not already running.
And, as we explained above, accessing a
ms-msdt: The URL launches MSDT.EXE, although we suspect few people will know this before the start of the week. (We didn’t — we had never used or even seen this type of URL before Follina’s story broke.)
Well, a cybersecurity researcher is called @hackerfantastic A Windows URL scheme named
search-ms: Yes, like
ms-msdt:being abused for cybercriminal betrayal.
As we’ve said, we don’t quite believe this is in the realm of what we call “zero-days” since it doesn’t directly lead to unintended remote code execution…
…but we accept that this was a close call and that you may want to prevent this special URL from working in the future.
“Search URL” trick
search-ms: The URL will automatically pop up and perform a Windows search, just as if you were clicking the magnifying glass in the taskbar yourself, entering the text of your choice and waiting for the results.
By embedding this type of URL into a document (such as a DOC or RTF file), in much the same way as implementing the Follina trick, an attacker can lure you into opening the document, and an official file automatically pops up – looking for searches related to it Result list:
Microsoft Office 2019 / Windows 10 / search-ms: URI handler exploit and post-exploitation steps on SYSTEM. pic.twitter.com/r512uF3vQ4
—hackerfantastic.crypto (@hackerfantastic) June 1, 2022
An attacker who embeds a special URL in a booby-trapped file can pre-select what is displayed in the header of the search bar and which files are displayed.
The displayed file does not have to be a locally stored file, e.g.
C:Usersduckmypreso.pptBut it can be a remote file (UNC path), e.g.
Of course, this doesn’t automatically start the file in question, which is why we only consider it a “sort of” zero-day.
You still need to select one of the files, double-click to execute it and react to the security warning, as you can see in the Twitter video above.
Still, this trick will definitely leave you more vulnerable than old-fashioned email bait with questionable web links.
The window that pops up is not a browser or email client.
Instead, it looks just like what you’d see when doing a regular search on your local computer, and doesn’t contain anything that looks like a traditional web link.
What should I do?
- Never open a file without carefully checking the file name. Don’t assume that the files that appear in the Windows Search dialog are local files you can trust, especially if the search wasn’t your own intentional search. When in doubt, ignore it!
- Open Windows options to display file extensions. Annoyingly, Windows suppresses file extensions by default, so things like
risky.exeShow only as
risky. This means that a file was intentionally renamed to
readme.txt.exeEnded up apparently being mislabeled as innocent looking
readme.txt. Open file manager then go view > file extension.
- Remember that remote filenames are not as obvious as web links. Windows allows you to access files by drive letter or UNC path. A UNC path usually refers to a server name on your own network, such as
\MAINSRVBut it is also possible to refer to a remote server on the Internet, e.g.
\198.51.100.42. Double-clicking a remote file specified as a UNC path will not only download it in the background from the specified server, but will also start it automatically when it arrives.
- Consider deleting registry keys
HKEY_CLASSES_ROOTsearch-ms. This is similar to the mitigation used for the Follina bug, where you can remove
ms-msdtbut to enter.This breaks the magic link between clicks
search-ms:Activation of URL and search windows. After deleting the registry key,
search-ms:URLs have no special meaning, so nothing is triggered.
- Follow this space. If other proprietary Windows URLs make cybersecurity news in the next few days or weeks, are used by cybercriminals for cunning and even outright destructive purposes, or are simply discovered by researchers trying to breach the system’s limitations, we Wouldn’t be surprised for now.