Security News Windows Settings Shortcuts Can Be Abused for Code Execution on Windows 10

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A new file type format added in Windows 10 can be abused for running malicious code on users' computers, according to Matt Nelson, a security researcher for SpecterOps.
The file type is ".SettingContent-ms", a file format introduced in Windows 10 in 2015. This file format is used to create shortcuts to Windows 10 settings pages, which Microsoft created as an alternative to classic Control Panel options.

SettingContent-ms can run malicious code

All SettingContent-ms files are nothing more than XML documents, which contain a < DeepLink > tag that specifies the on-disk location of the Windows 10 setting page that it will open when users double-click shortcuts.
... ...
...
No alert when opening SettingContent-ms from the Internet

Tricking users to open such files appears to be an easy task as well. Nelson says he hosted a SettingContent-ms shortcut on a web server, and he was able to download and run it without Windows 10 or Windows Defender alerting the user at all.

"Yikes!! When this file comes straight from the internet, it executes as soon as the user clicks 'open'," Nelson wrote in his research. "For one reason or another, the file still executes without any notification or warning to the user."

Nelson recorded a video of him opening a SettingContent-ms shortcut he downloaded from a remote server.
.... ...
...
SettingContent-ms files bypass ASR

But that's not all. Nelson also says SettingContent-ms also bypasses a Windows 10 security feature named Attack Surface Reduction (ASR).

ASR is a collection of various security rules. They are optional in Windows 10 and are disabled by default. One of the many ASR rules that users can enable can prevent Office documents from starting child processes, a technique used by malware to spread from an Office OLE object to their own process.
.. ... ..
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top