Hi all- This is Jamie at Panacea 🙂
I’ve been learning so much my last few months here it’s hard to keep up some days. I know I’m not the only one just trying to keep my head above water with how quickly things change and how scary some of these things are… So I’m hoping that sharing all of my new found knowledge helps you as much as it’s been helping me!!
That all said- Here’s another great article from our Partners at Sophos answering my question- What is all this????:
Just as the dust started to settle on the weirdly-named Follina vulnerability…
… along came another zero-day Windows security hole.
We’re not convinced that this one is quite as dramatic or as dangerous as some of the headlines seem to suggest (which is why we carefully added the words “sort of” above), but we’re not surprised that researchers are currently looking for new ways to abuse the many proprietary URL types in Windows.
URL schemes revisited
The Follina bug, now more properly known as CVE-2022-30190, hinges on a weird, non-standard URL supported by the Windows operating system.
Loosely speaking, most URLs are structured so they tell you, or the software you’re using, where to go, how to get there, and what to ask for when you arrive.
For example, the URL…
…says, “Use the scheme called https: to connect to a server called
example.com and then request a file called
Similarly, the URL…
…says, “Look for a file on the local computer called
thisone.txt in the directory
And the URL…
…says, “Do an LDAP lookup via TCP port 8888 to server
192.168.1.79, and search for an object called
But Windows includes a lengthy list of proprietary URL schemes (the letters up to the first colon character), also known as protocol handlers, that can be used to trigger a range of non-standard activities simply by referencing the special URL.
The Follina bug, for example, took devious advantage of the URL scheme
ms-msdt:, which relates to system diagnostics.