A dangerous threat has recently been identified by security researchers as the Windows Search service vulnerability. Its alternative name is Bookworm and while it has been reported to Microsoft, the company has not yet patched the issue.
All About The Bookworm Windows Search Service Vulnerability
The public disclosure of the Bookworm vulnerability has prompted the security community to take a closer look at the operating system component that has been found vulnerable. The reports indicate that this is a Windows Search service vulnerability that is rated as dangerous both for the infected host and the network on which it works. Following the security protocols the zero-day bug was disclosed to Microsoft in due time however they have still not released a patch that amends the issue. As this has not happened in due time information about it was posted publicly.
The discovery was made after a network analysis indicated suspicious behaviour of the SearchProtocolHost.exe Windows service. The problem appears to be improper handling of URL files and hyperlinks. The generated FTP traffic seems to be made at random intervals, this has raised additional interest in the output leading to the discovery of the threat.
As the Windows component seems to handle .URL files in an improper way, as well as the relevant code and file attributes, the analysts have been able to pinpoint the origins of the bad behaviour. The malicious behaviour
The Bookworm Windows Search Service Vulnerability has been found to start once the requirements are met — a folder containing the relevant file that is launched by the user. This is possible even with removable storage devices such as USB flash drives. The malicious files allow the hackers to reveal sensitive information about the hosts. It affects the default configuration of the operating system and dates back to at least Windows 7.
Consequently the use of this bug in hacker attacks can help reveal the following information about the target hosts:
- State of the host machine and its public IP address.
- The network status of the user — whether or not he is behind a firewall that allows FTP connections.
- The introduction of removable storage devices to the hosts.
- Transfer of data to/from the directory.
To this date the Bookworm Windows Search Service Vulnerability has not been exploited in the wild as the security researchers have not received any reports signalling an intrusion.