Malware Authors Seem Intent on Weaponizing Windows SettingContent-ms Files

An anonymous reader shares a report: Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June. The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs. Ever since SpecterOps security researcher Matt Nelson published his research on the matter three weeks ago, malware authors have been playing around with proof-of-concept code in attempts of crafting an exploit that can deploy weaponized malware on a victim's system. With each passing day, more and more exploits are being uploaded on VirusTotal.

Doesn't Microsoft hire black hats?

[mykepredko]

Good description of the .SettingContent-ms exploit - I would have thought that this would jump out to a Malware author as soon as the feature was announced (regardless of the fact that there is ASR used by large network sysadmins).

Doesn't Microsoft have a bunch of people on staff that think like black hats (probably because they used to be them) with the task of looking for problems like this? At the very least shouldn't somebody have twigged onto the idea that providing a new way to allow new programs to run (as well as spawn new processes) be something that Microsoft security should review?

Re:Doesn't Microsoft hire black hats?

[JaredOfEuropa]

One really doesn’t have to be a blackhat to spot at least some of the various issues of this feature. This isn’t security expert stuff, but “what the hell were they smoking” territory.

We wouldn’t need these shortcuts in the first place if MS kept the control panel at least somewhat consistent between versions, instead of rearranging the control panel and every damn thing in it on every release. Including Windows Server releases. IIRC some stuff (might have been Exchange related) went from a control panel item to something under the start menu to a double secret (separately downloadable) MMC snap-in (and who came up with that brilliant idea) to a web interface.

Re:Doesn't Microsoft hire black hats?

Doesn't Microsoft have a bunch of people on staff that think like black hats (probably because they used to be them) with the task of looking for problems like this?

From the article:

"Nelson contacted Microsoft, but they do not consider this a vulnerability in the OS. "

Re:Doesn't Microsoft hire black hats?

[LVSlushdat]

Shit like this makes sooooooo VERY happy I no longer allow ANYthing MS on any network I control...

Re:Doesn't Microsoft hire black hats?

[mykepredko]

That's exactly what I thought when I RTFA, but I wasn't sure if I was missing something.

Re:Doesn't Microsoft hire black hats?

[AHuxley]

Its like a new deep Microsoft Chrome https://en.wikipedia.org/wiki/... but deep in the OS and browser. To make the ads and support work.

Re:Doesn't Microsoft hire black hats?

[Blue+Stone]

>Doesn't Microsoft have a bunch of people on staff that think like black hats (probably because they used to be them) with the task of looking for problems like this?

From the looks of Windows 10, they don't even have Quality Assurance reviewers anymore.

Re:Doesn't Microsoft hire black hats?

[DeVilla]

Doesn't Microsoft have a bunch of people on staff that think like black hats (probably because they used to be them) with the task of looking for problems like this?

I assumed that was who they had developing the system. I figured it was obvious when the original versions of Win10 would send your wireless credentials to everyone on any contact list it could find.

Re:Why Did BSD Die?

Berkeley is now at the heart of destroying the free speech and freedom of assembly and association. It is a truly stunning turnabout from freedom to totalitarianism.

FreeBSD and its relatives have institutionalized a thought police. If you don't agree with their manifesto of leftist SJW taking points you will be kicked out. You won't even get email support. Some of the infractions are disagreeing with open borders, voting for Donald Trump, questioning global warming, believing that marriage is a tradition defining the relationship between man and a woman. The FreeBSD manifesto is chilling, shocking, and unimaginable. It is no fucking wonder that FreeBSD is deep in the shitter. If they spent half as much time addressing bugs and features as they do SJW stuff, then they might not be scraping rock bottom.

Vulnerability description

In case this is news to you and you're wondering about this vulnerability, here's a description.
Microsoft has introduced a new file format (extension: .SettingContent-ms) to link to settings pages. In this format a <DeepLink> tag contains the application to run in order to display the settings page. So like program information files (.pif), shortcuts (.lnk), batch files (.bat) and so on these should be treated as executable programs, because these files can do anything the author wishes. Just specify "%WINDIR%\System32\cmd.exe /c ..." as the command line.
But apparently Microsoft itself didn't appropriately mark the new shortcut file type as executable and because it's a new file type, third-party vendors of things like anti-virus software, web browsers and e-mail clients haven't caught up yet either.

Re:Vulnerability description

[RandomFactor]

It gets better.

The actual extension name confuses at least one major email protection service and it won't catch an email containing it even if you do add it to your extension/type blocks. Test after blocking.

Also worthy of note - Chrome warns settingcontent-ms is a potentially dangerous file type if you download one (haven't tried other browsers yet.)

Stupid Win10

All those wankers claiming Win10 is inherently safer than Win7 because it is "new" and "supported".

Fucking idiots the lot of them.

Just try to imagine all of the new code in Win10 and the as-yet undiscovered exploits, just like this one.

Code gets stronger/better/safer over time, which is almost the exact opposite of physical goods.

Re:Stupid Win10

[AHuxley]

But its free from MS for the user.

Re:Stupid Win10

[LordWabbit2]

Code gets stronger/better/safer over time

No it doesn't, it ends up full of kludges and hacks and at some point needs to be rewritten to make it stable again. Sure the new code will contain new bugs, but anything more complex than "Hello World" probably has a bug somewhere. If you want to stick with windows 7 then go for it, when the newer version of xyz software no longer runs on it you will be forced to upgrade - whether you like it or not.

I am sure there are PC's sitting in some back room somewhere that still run DOS, still do what they are needed to do and are therefore not replaced. I've come across OS2 Warp PC's and that OS died before I even started working as a programmer. There is a Windows NT4 box sitting at the reserve bank (in my country, not the US) that is quietly doing it's job, it's not exposed to the internet and they leave it alone. There was an attempt to upgrade it, but the software that runs on it only runs on NT4 (for some reason, I was not part of the upgrade so I have no idea what the problem was) and the company that wrote it no longer exists, so they put NT4 back on and left it.

Re:Stupid Win10

[LordWabbit2]

Other than my original payment to MS for a license (and then upgrading to Enterprise because I wanted to play with VM's) I have not paid a cent more. So why do you say it's not free?