Windows 10’s Settings page may contain large security hole

One of the most revolutionary features of Windows 10 when it launched was its new Windows Settings app, which was designed to make configuring the operating system easier than ever, but it may have inadvertently added a major security hole, according to a security researcher.

According to Matt Nelson, a security researcher for SpecterOps, the file type in question is '.SettingContent-ms'. This was introduced in Windows 10 in 2015, and its aim was to create shortcuts to Windows 10 settings pages. The idea was that this was a more user-friendly way of configuring Windows 10, compared to the old Control Panel of previous versions.

The problem is, these shortcuts are made up of an XML file which is easily editable to change the shortcut from pointing to a Settings page, to pointing to almost any file or program, including powerful tools such as the Command Prompt and Powershell.

Malicious users could change the shortcut (by editing the “DeepLink” value in the XML file) to run applications or commands (and even a series of commands in a chain), when the shortcut is clicked on. The user would have no idea that something had changed.

Under the radar

Perhaps what’s most concerning about this is that the .SettingContent-ms filetypes go undetected by Microsoft’s built-in security defences, such as Windows Defender and Microsoft Office’s Attack Surface Reduction tool. There is a fear that this exploit could be used by hiding SettingContent-ms files within Office documents.

As Nelson writes in his report, “when this file comes straight from the internet, it executes as soon as the user clicks 'Open' […] For one reason or another, the file still executes without any notification or warning to the user."

Nelson also shared a video of him opening up a SettingContent-ms file that he downloaded from the internet, with no warnings being displayed.

Nelson has contacted Microsoft, but apparently the company doesn't consider it a vulnerability in Windows 10. 

While no examples of malicious SettingContent-ms files have been found yet, we hope that Microsoft will address this issue soon. We’ve contacted Microsoft ourselves for comment.

Via Bleepingcomputer

TOPICS
Matt Hanson
Managing Editor, Core Tech

Matt is TechRadar's Managing Editor for Core Tech, looking after computing and mobile technology. Having written for a number of publications such as PC Plus, PC Format, T3 and Linux Format, there's no aspect of technology that Matt isn't passionate about, especially computing and PC gaming. He’s personally reviewed and used most of the laptops in our best laptops guide - and since joining TechRadar in 2014, he's reviewed over 250 laptops and computing accessories personally.

Latest in Windows
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
Using Zipped files and folders in Windows 11
Windows 11 should soon be faster at extracting files from compressed ZIPs – and it’s about time, frankly
Xbox Wireless Controller
Microsoft is adding a powerful new feature for using Xbox controllers with Windows 11
Woman disgusted by her laptop
Embarrassing Windows 11 bug that deleted Copilot app is now fixed – but will anyone outside of Microsoft care?
Student sat at a desk with a laptop in a dormitory looking at a mobile phone
Windows 11 could eventually help you understand how fast your PC is - as well as offer tips for making your PC or laptop faster for free
Latest in News
Open AI
OpenAI live stream - could we see a major ChatGPT upgrade?
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection