A new Windows Search zero-day vulnerability can be used to automatically open a search window containing remotely-hosted malware executables simply by launching a Word document.
The security issue can be leveraged because Windows supports a URI protocol handler called 'search-ms' that allows applications and HTML links to launch customized searches on a device.
While most Windows searches will look on the local device's index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.
For example, the popular Sysinternals toolset allows you to remotely mount
live.sysinternals.com as a network share to launch their utilities. To search this remote share and list only files matching a particular name, you could use the following 'search-ms' URI:
search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals
As you can see from the command above, the search-ms 'crumb' variable specifies the location to search, and the 'displayname' variable specifies the search title.
A customized search window will appear when this command is executed from a Run dialog or web browser address bar on Windows 7, Windows 10, and Windows 11, as shown below.