[ad_1]
Windows 10 PCs are at risk of hackers exploiting a file format to bypass the key defenses in the operating system, according to a new security study.
The .SettingContent-ms file type can be used to execute arbitrary and potentially dangerous code, discovered Matt Nelson of Specter Ops.
Arbitrary code can be executed on a target machine by asking a user to open a Word document that contains an embedded .SettingContent-ms file.
This embedded file included a link to the arbitrary code, and in the tests Nelson found neither the embedded Object Linking and Embedding (OLE) protections nor the Attack Surface Reduction (ASR) defenses offered by Windows 10 with Windows Defender. executed.
Nelson says that the code is not blocked by Office OLE protections because .SettingContent-ms is not included in the list of "dangerous" Office file formats.
Meanwhile, he was able to bypass the ASR protections by including a link to the AppVLP program, used for application virtualization in Windows, next to the link to the arbitrary executable in the .SettingContent-ms file. This workaround was possible due to ASV's white listing of AppVLP, creating an exception to the usual ASR blocking to allow Office applications to create child processes.
Nelson reported his findings to Microsoft in February of this year, but on June 4, he stated that Microsoft had responded "that the severity of the issue is below the bar for maintenance and that the". deal will be closed. "
However Nelson has his own suggestions for the measures that users can take to protect themselves against attacks exploiting this method.
"In the end, a .SettingContent-ms file should not be executed outside the path" C: Windows ImmersiveControlPanel "Moreover, since the file format only allows the execution of shell commands, all that which is running online logging, "he writes.
"It is also recommended to always monitor child process creations from Office applications. There are some applications that should be generated under Office applications, so outlier monitoring can be helpful. A tool that can to accomplish this is Sysmon. "
Mozilla has also released a recent patch for Firefox that addressed a vulnerability-related vulnerability. The fix prevents a WebExtension for the browser with limited downloads.open permission to execute arbitrary code without user intervention on Windows 10 systems.
Microsoft did not respond to a request for comment at the time of publication.
Build a slide deck, presentation or presentation? Here are the great takeaways:
- SettingContent-ms file format of Windows 10 can be used to execute arbitrary code on computers – Specter Ops, 2018
- A .SettingContent-ms file should not be executed anywhere other than in the "C: Windows ImmersiveControlPanel" path. – Specter Ops, 2018
Look also
Source link
