Probably the most revolutionary options of Home windows 10 when it launched was its new Home windows Settings app, which was designed to make configuring the working system simpler than ever, however it might have inadvertently added a significant safety gap, in accordance with a safety researcher.
In keeping with Matt Nelson, a safety researcher for SpecterOps, the file kind in query is ‘.SettingContent-ms’. This was launched in Home windows 10 in 2015, and its goal was to create shortcuts to Home windows 10 settings pages. The thought was that this was a extra user-friendly means of configuring Home windows 10, in comparison with the outdated Management Panel of earlier variations.
The issue is, these shortcuts are made up of an XML file which is well editable to vary the shortcut from pointing to a Settings web page, to pointing to virtually any file or program, together with highly effective instruments such because the Command Immediate and Powershell.
Malicious customers might change the shortcut (by enhancing the “DeepLink” worth within the XML file) to run functions or instructions (and even a sequence of instructions in a series), when the shortcut is clicked on. The consumer would do not know that one thing had modified.
Underneath the radar
Maybe what’s most regarding about that is that the .SettingContent-ms filetypes go undetected by Microsoft’s built-in safety defences, corresponding to Home windows Defender and Microsoft Workplace’s Assault Floor Discount device. There’s a concern that this exploit could possibly be utilized by hiding SettingContent-ms information inside Workplace paperwork.
As Nelson writes in his report, “when this file comes straight from the web, it executes as quickly because the consumer clicks ‘Open’ […] For one purpose or one other, the file nonetheless executes with none notification or warning to the consumer.”
Nelson additionally shared a video of him opening up a SettingContent-ms file that he downloaded from the web, with no warnings being displayed.
Nelson has contacted Microsoft, however apparently the corporate would not contemplate it a vulnerability in Home windows 10.
Whereas no examples of malicious SettingContent-ms information have been discovered but, we hope that Microsoft will deal with this situation quickly. We’ve contacted Microsoft ourselves for remark.
By way of Bleepingcomputer