Malware Authors Seem Intent on Weaponizing Windows SettingContent-ms Files

An anonymous reader shares a report: Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June. The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs. Ever since SpecterOps security researcher Matt Nelson published his research on the matter three weeks ago, malware authors have been playing around with proof-of-concept code in attempts of crafting an exploit that can deploy weaponized malware on a victim's system. With each passing day, more and more exploits are being uploaded on VirusTotal.

Re:Doesn't Microsoft hire black hats?

[JaredOfEuropa]

One really doesn’t have to be a blackhat to spot at least some of the various issues of this feature. This isn’t security expert stuff, but “what the hell were they smoking” territory.

We wouldn’t need these shortcuts in the first place if MS kept the control panel at least somewhat consistent between versions, instead of rearranging the control panel and every damn thing in it on every release. Including Windows Server releases. IIRC some stuff (might have been Exchange related) went from a control panel item to something under the start menu to a double secret (separately downloadable) MMC snap-in (and who came up with that brilliant idea) to a web interface.

Vulnerability description

In case this is news to you and you're wondering about this vulnerability, here's a description.
Microsoft has introduced a new file format (extension: .SettingContent-ms) to link to settings pages. In this format a <DeepLink> tag contains the application to run in order to display the settings page. So like program information files (.pif), shortcuts (.lnk), batch files (.bat) and so on these should be treated as executable programs, because these files can do anything the author wishes. Just specify "%WINDIR%\System32\cmd.exe /c ..." as the command line.
But apparently Microsoft itself didn't appropriately mark the new shortcut file type as executable and because it's a new file type, third-party vendors of things like anti-virus software, web browsers and e-mail clients haven't caught up yet either.

Re:Vulnerability description

[RandomFactor]

It gets better.

The actual extension name confuses at least one major email protection service and it won't catch an email containing it even if you do add it to your extension/type blocks. Test after blocking.

Also worthy of note - Chrome warns settingcontent-ms is a potentially dangerous file type if you download one (haven't tried other browsers yet.)