Jump to content

Windows 10’s Settings page may contain large security hole


Recommended Posts

One of the most revolutionary features of Windows 10 when it launched was its new Windows Settings app, which was designed to make configuring the operating system easier than ever, but it may have inadvertently added a major security hole, according to a security researcher.

According to Matt Nelson, a security researcher for SpecterOps, the file type in question is '.SettingContent-ms'. This was introduced in Windows 10 in 2015, and its aim was to create shortcuts to Windows 10 settings pages. The idea was that this was a more user-friendly way of configuring Windows 10, compared to the old Control Panel of previous versions.

The problem is, these shortcuts are made up of an XML file which is easily editable to change the shortcut from pointing to a Settings page, to pointing to almost any file or program, including powerful tools such as the Command Prompt and Powershell.

Malicious users could change the shortcut (by editing the “DeepLink” value in the XML file) to run applications or commands (and even a series of commands in a chain), when the shortcut is clicked on. The user would have no idea that something had changed.

Under the radar

Perhaps what’s most concerning about this is that the .SettingContent-ms filetypes go undetected by Microsoft’s built-in security defences, such as Windows Defender and Microsoft Office’s Attack Surface Reduction tool. There is a fear that this exploit could be used by hiding SettingContent-ms files within Office documents.

As Nelson writes in his report, “when this file comes straight from the internet, it executes as soon as the user clicks 'Open' […] For one reason or another, the file still executes without any notification or warning to the user."

Nelson also shared a video of him opening up a SettingContent-ms file that he downloaded from the internet, with no warnings being displayed.

Nelson has contacted Microsoft, but apparently the company doesn't consider it a vulnerability in Windows 10. 

While no examples of malicious SettingContent-ms files have been found yet, we hope that Microsoft will address this issue soon. We’ve contacted Microsoft ourselves for comment.

Via Bleepingcomputer


View the full article

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

By using this site, you agree to our Terms of Use.