Skip to content

Windows zero-day can load malware from a Word document

  • by
  • 2 min read

A new Windows zero-day vulnerability has been discovered to automatically open a search Window to load remotely-hosted malware by just opening a Word document. 

Since Windows Search queries can be customised to query shared files on remote hosts and use a custom title for the search window, threat actors can use this approach to set up malware remotely on Windows share disguised as security updates and then include the search-ms URI in phishing attachments or emails. 

While such a URL will show a warning telling the user that the site is trying to run a Windows Explorer search, however, security researcher and Hacker House co-founder Matthew Hickey found a way to circumvent this by combining a new Microsoft Office OLEObject flaw with the search-ms protocol handler to open remote window searches from a Word document. 

This is similar to the recently discovered ‘Follina’ vulnerability tracked as  CVE-2022-30190 because a malicious word document can trigger both vulnerabilities. Additionally, Windows Explorer’s preview pane can also trigger both vulnerabilities, provided the document is in RTF format. 

Since the search window can be named anything, it is easier for threat actors to launch attacks and trick victims into believing that they’re installing updates or some other critical software instead of the malware. 

Mitigations are the same as the Windows MSDT flaw, namely disabling the search-ms protocol handler from the registry and disabling the preview pane in Windows Explorer when dealing with suspicious documents. These flaws aren’t new either, disclosed by Benjamin Altpeter in his 2020 thesis about Electron application security.

Microsoft is working on removing flaws in protocol handlers and other Windows features instead of fixing any chances of exploit from Microsoft office. However, CERT/CC vulnerability analyst Will Dormann points out that since the exploits use two different flaws, the Microsoft office URI weakness will result in more protocol handles being abused. 

Exploits for the Windows MSDT flaw are already in the wild, and BleepingComputer reports having found ways threat actors could exploit the new flaw, choosing not to disclose them at the time of writing. 

In the News: Your Whatsapp account can be hacked using MMI codes


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: [email protected].