Windows 10's new Modern Settings open up massive new security hole

Often adding new parts to an operating system or application opens up the possibility of new bugs or exploits.

Such appears to be the case with the modern Settings app in Windows 10, which comes along with a new file type which appears to have wide-ranging privileges.

Called “.SettingContent-ms”, the filetype is intended to allow shortcuts to the new Windows 10 Settings pages.

It turns out, according to  SpecterOps security researcher Matt Nelson, the XML file is a little bit too flexible.

It turns out “.SettingContent-ms” will accept any filepath in the needed deeplink, and including to CMD or Powershell, and that it can also chain commands, meaning it can do one thing and then also do the intended action, leaving the user none the wiser.

The filetype also bypasses all Windows Defender checks when downloaded from the Internet, and also bypasses ASR (Attack Surface Reduction) in Office, meaning it can be embedded via OLE in Office Documents and break out of the Office sandbox completely unchecked.

Despite all these exploit capabilities Nelson says Microsoft does not consider the extension a security issue, but he does suspect Microsoft will soon add the extension to its blacklist of filetypes which need to be examined more closely when downloaded from the internet or embedded in documents, likely not the case at the minute because it is relatively new and not being actively exploited.

Read Nelson’s full report on the security risk here.

Via BleepingComputer