Windows 10 PCs are at risk from hackers exploiting a file format to bypass key defenses in the OS, according to new security research.

The .SettingContent-ms file type can be used to to run arbitrary, and potentially dangerous, code, research by the security firm Specter Ops security has found.

The arbitrary code could be run on a target machine by getting a user to open a Word document that contains an embedded .SettingContent-ms file.

This embedded file would include a link to the arbitrary code, and tests run by Specter Ops’ Matt Nelson found neither Office’s built-in (Object Linking and Embedding) OLE protections nor the Attack Surface Reduction (ASR) defenses offered by Windows 10 with Windows Defender stopped the code being executed.

Nelson says that the code isn’t blocked by Office’s OLE protections due to .SettingContent-ms not being included in Office’s list of “dangerous” file formats.

Meanwhile he was able to circumvent ASR protections by including a link to the AppVLP program, used for application virtualization in Windows, alongside the link to the arbitrary executable in the .SettingContent-ms file. This bypass was possible due to AppVLP being whitelisted by the ASR, creating an exception to ASR’s usual block on letting Office applications create child processes.

Nelson reported his findings to Microsoft in February of this year but on 4th June he said Microsoft responded saying “that the severity of the issue is below the bar for servicing and that the case will be closed”.

However Nelson has his own suggestions for steps that users can take to protect against attacks exploiting this method.

“Ultimately, a .SettingContent-ms file should not be executing anywhere outside of the “C:\Windows\ImmersiveControlPanel” path. Additionally, since the file format only allows for executing shell commands, anything being run through that file is subject to command line logging,” he writes.

“It is also a good idea to always monitor child process creations from Office applications. There are a few applications that should be spawning under the Office applications, so monitoring for outliers can be useful. One tool that can accomplish this is Sysmon.”

Mozilla also issued a recent fix for Firefox that addressed an exploit related to the vulnerability. The fix prevents a WebExtension for the browser that has the limited permission from executing arbitrary code without user interaction on Windows 10 systems.

Microsoft had not responded to a request for comment at the time of publication.

Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Windows 10’s SettingContent-ms file format can be used to run arbitrary code on PCs — Specter Ops, 2018
  • A .SettingContent-ms file should not be executing anywhere outside of the “C:\Windows\ImmersiveControlPanel” path. — Specter Ops, 2018