What is all this???? Yet another zero-day (sort of) in Windows “search URL” handling

Hi all- This is Jamie at Panacea 🙂 

I’ve been learning so much my last few months here it’s hard to keep up some days. I know I’m not the only one just trying to keep my head above water with how quickly things change and how scary some of these things are… So I’m hoping that sharing all of my new found knowledge helps you as much as it’s been helping me!!

That all said- Here’s another great article from our Partners at Sophos answering my question- What is all this????:

 Yet another zero-day (sort of) in Windows “search URL” handling

Just as the dust started to settle on the weirdly-named Follina vulnerability…

… along came another zero-day Windows security hole.

Sort of.

We’re not convinced that this one is quite as dramatic or as dangerous as some of the headlines seem to suggest (which is why we carefully added the words “sort of” above), but we’re not surprised that researchers are currently looking for new ways to abuse the many proprietary URL types in Windows.

URL schemes revisited

To recap.

The Follina bug, now more properly known as CVE-2022-30190, hinges on a weird, non-standard URL supported by the Windows operating system.

Loosely speaking, most URLs are structured so they tell you, or the software you’re using, where to go, how to get there, and what to ask for when you arrive.

For example, the URL…

   https://example.com/ask/forthis.item

…says, “Use the scheme called https: to connect to a server called example.com and then request a file called /ask/forthis.item.”

Similarly, the URL…

   file:///Users/duck/thisone.txt

…says, “Look for a file on the local computer called thisone.txt in the directory /Users/duck.

And the URL…

   ldap://192.169.1.79:8888/Runthis

…says, “Do an LDAP lookup via TCP port 8888 to server 192.168.1.79, and search for an object called Runthis.

But Windows includes a lengthy list of proprietary URL schemes (the letters up to the first colon character), also known as protocol handlers, that can be used to trigger a range of non-standard activities simply by referencing the special URL.

The Follina bug, for example, took devious advantage of the URL scheme ms-msdt:, which relates to system diagnostics.

READ THE REST…

Free Cybersecurity Risk Assessment!

Cybersecurity is on everyone’s radar these days. The Panacea team will review your business’s level of Cybersecurity Risk for free! Request your assessment today.

cyber security graphic

Free Cybersecurity Risk Assessment!

Cybersecurity is on everyone’s radar these days. The Panacea team will review your business’s level of Cybersecurity Risk for free! Request your assessment today.