Windows 10’s Settings page may contain large security hole


One of the most revolutionary features of Windows 10 when it launched was its new Windows Settings app, which was designed to make configuring the operating system easier than ever, but it may have inadvertently added a major security hole, according to a security researcher.

According to Matt Nelson, a security researcher for SpecterOps, the file type in question is '.SettingContent-ms'. This was introduced in Windows 10 in 2015, and its aim was to create shortcuts to Windows 10 settings pages. The idea was that this was a more user-friendly way of configuring Windows 10, compared to the old Control Panel of previous versions.

The problem is, these shortcuts are made up of an XML file which is easily editable to change the shortcut from pointing to a Settings page, to pointing to almost any file or program, including powerful tools such as the Command Prompt and Powershell.

Malicious users could change the shortcut (by editing the “DeepLink” value in the XML file) to run applications or commands (and even a series of commands in a chain), when the shortcut is clicked on. The user would have no idea that something had changed.

Under the radar

Perhaps what’s most concerning about this is that the .SettingContent-ms filetypes go undetected by Microsoft’s built-in security defences, such as Windows Defender and Microsoft Office’s Attack Surface Reduction tool. There is a fear that this exploit could be used by hiding SettingContent-ms files within Office documents.

As Nelson writes in his report, “when this file comes straight from the internet, it executes as soon as the user clicks 'Open' […] For one reason or another, the file still executes without any notification or warning to the user."

Nelson also shared a video of him opening up a SettingContent-ms file that he downloaded from the internet, with no warnings being displayed.

Nelson has contacted Microsoft, but apparently the company doesn't consider it a vulnerability in Windows 10. 

While no examples of malicious SettingContent-ms files have been found yet, we hope that Microsoft will address this issue soon. We’ve contacted Microsoft ourselves for comment.

Via Bleepingcomputer