Microsoft has been working on its Settings app in Windows 10 for a couple of years. The app is eventually replacing Control Panel as the hub for all settings on the platform. However, changing the fabric of the operating system is not without its risks. It appears a flaw in Settings allows the app to be exploited. The problem stems from a new file type called “.SettingContent-ms”. Yes, this is a Microsoft file for Windows 10 and comes with a range of privileges. At its core, the file allows shortcuts to be made to the Settings app. Despite its apparent usefulness, SpecterOps security researcher Matt Nelson says the XML file is too widespread and can be exploited. According to Nelson, the SettingsContent-ms file accepts any filepath in deeplink, including Powershell and CMD paths. In other words, this means the file can performance one task simultaneously with another, without the user knowing there is a secondary task running: “So, we now have a file type that allows arbitrary shell command execution and displays zero warnings or dialogues to the user. When trying to get initial access, going across a target's perimeter with an unusual file type can be risky. Ideally, this file would be placed in a container of a more common file type, such as an Office document.”
