Security Alert: New Unpatched Vulnerability in Windows "search:" URI Handler

Researchers have identified a concerning unpatched security vulnerability within the Windows search: URI handler.

Similar to the previously disclosed flaw in the Windows Snipping Tool, this vulnerability can be exploited to force a system to leak NTLMv2 hashes. By luring a user to trigger a malicious URI, an attacker can capture these hashes, which can then be used in relay or cracking attacks to gain unauthorized access to credentials or network resources.

Why this matters:

1- Ease of Exploitation: URI handler vulnerabilities are often triggered via simple links in web browsers, documents, or messaging platforms.

2- Credential Exposure: NTLMv2 hash theft remains a highly effective method for attackers to escalate privileges and move laterally within a corporate environment.

3- Zero-Day Status: As of now, there is no official patch available from Microsoft.

Recommended Mitigations:

1- Monitor Network Traffic: Watch for unusual SMB or HTTP traffic originating from workstations that are attempting to authenticate to external IP addresses.

2- Filter/Block: If possible, implement network-level blocks for outbound SMB (TCP/445) to untrusted external addresses.

3- User Awareness: Advise teams to exercise caution when clicking suspicious links, especially those formatted as search:query in unexpected contexts.

We are keeping a close eye on this, and we anticipate a security update from Microsoft in an upcoming Patch Tuesday cycle. In the meantime, keeping your systems updated and enforcing robust endpoint detection is critical.

Stay vigilant, and ensure your security teams are aware of this potential attack vector.

#CyberSecurity #InfoSec #WindowsSecurity #ZeroDay #TechAlert #NetworkSecurity #ITSecurity