Search Nightmare: Another log vulnerability in Windows?

This week, Microsoft warned of an as yet unpatched vulnerability in Windows, which according to various reports is already being actively exploited. Now it is becoming apparent that there may be another weak point that is very similar.

The vulnerability documented by Microsoft affects the URI protocol associated with the Microsoft Support Diagnostic Tool (MSDT). The only workaround that currently at least partially protects against an attack is to disable the relevant protocol.

At the colleague Gunter Born I have now come across a report that there may be another vulnerability in a URI protocol, which the discoverers have beautifully titled “Search Nightmare”. Again, this is a vulnerability in one protocol, namely ms-search. This triggers the internal search function of Windows.

In combination with the attack method from the MSDT vulnerability, for example, opening a Word document could be enough to start a search and redirect the user to a network share, from where he could be encouraged to run more files.

at Bleeding computer there is a summary with a fairly detailed proof-of-concept. As far as I can see, no successful attack can take place without the “active cooperation” of the logged-in user. In the past, Microsoft has not considered such attack methods to be highly critical, but in this case one will probably have to wait for further knowledge.

The recommended workaround is the same as for the MSDT vulnerability: You can disable the ms-search log by issuing the following commands from an administrative command line:

“reg delete HKEY_CLASSES_ROOTsearch-ms /f”

With the command

“reg export HKEY_CLASSES_ROOTsearch-ms filename” you can create a backup of the deleted registry entry beforehand, which can be restored with “reg import filename” if necessary.

At this point, though, I’d put that in the “shooting at a nut with a cannon” category. Let’s see if and what Microsoft says about it.