back to article Windows 10's defences are pretty robust these days, so of course folk are trying to break them

Hackers have been experimenting with a newly discovered technique to commandeer Windows 10 boxes. The approach, revealed at the start of June, relies on abusing Windows Settings files (.SettingContent-ms), an XML file type introduced in Windows 10. The technology allows users to create "shortcuts" to various Windows settings …

  1. SVV

    Office Applications? OLE?

    I have discovered 3 examples of such atrociously insecure and idiotic shit during my work since the start of the year, sitting on the obscure edge of fundamental business processes but entirely necessary for them to work at this moment in time, thinking "who the fuck decided to introduce the concept of workflow via the medium of Excel spreadsheets", and now we find out that the latest version of windows has a main attack vector via XMLisation so that every company which has installed it can be owned by someone crafting something like :

    <OnScriptRequest>

    <Request application="Office365">

    <command name="host.deleteall"/>

    <privilege="administrator"/>

    </Request>

    <onScriptRequest>

    and embedding it in an email (possibly). Good old MS, still amazingly confused about the incompatibility of infinite flexibility and robust security.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        "Win10 supposed to bring higher-level security"

        For sure, it was in the Marketing materials pack for Win-10 adoption. Aimed at corporations especially. However, being marketing it could have been better categorized as 'Fake News'!

        1. bombastic bob Silver badge
          Unhappy

          Re: "Win10 supposed to bring higher-level security"

          Well, if Windows IS getting better (security-wise), I suggest that Micro-shaft COULD have solved this OVER A DECADE AGO if they'd focused their efforts on SECURITY instead of RE-INVENTING THE GUI 4 TIMES (1)! And "the slurp". And "the ads". And "the Metro". And UWP. And "the Start Thing". And the 2D FLATSO. And the FORCED UPDATES to make sure we *ALL* suffer equally with the "new, shiny", DAMMIT!

          (1) 4 times: that would be Vista, 7, "Ape", and Win-10-nic. 7 was acceptable. The other 3 are *NOT*.

          I think we'd ALL be a LOT happier if we were still using XP (with bug and security fixes).

          1. Anonymous Coward
            Anonymous Coward

            Re: "Win10 supposed to bring higher-level security"

            "I think we'd ALL be a LOT happier if we were still using XP"

            Keep going to Windows 2000 and I agree.

          2. Adrian 4

            Re: "Win10 supposed to bring higher-level security"

            Bob, I feel your pain.

            But it's self-inflicted. Whatever the convenience for you of using some windows app, can it really be worth the hassle ? Just find another way and give it up. you kow it makes sense.

            Then we can all enjoy your perspective without the computer-induced rage.

    2. Zippy's Sausage Factory
      Meh

      Re: Office Applications? OLE?

      "who the fuck decided to introduce the concept of workflow via the medium of Excel spreadsheets"

      Microsoft BizTalk, I guess?

      "They're going to be using our workflow engine, so how can we further lock them into our 'ecosystem'?"

      "Make a dodgy Excel connector and then sort of get halfway ish with workflow in Excel?"

      "Well done, there. Well done."

      (No joke icon because I'm half serious here)

      1. TheVogon

        Re: Office Applications? OLE?

        "Microsoft BizTalk, I guess?"

        What? BizTalk is a server based message bus type product.

  2. Paul 129
    Facepalm

    FFS!

    Each version this same old same old. New system, new way to execute arbitrary code, cause wow isn't it useful and clever.

    Yes! It is NOT useful and NOT clever!

    <unpublishable-swearing-rant-about-agile-developers-needing-to-grow-up-or-run-for-their-lives-omitted/>

    1. Dan 55 Silver badge

      Re: FFS!

      Hey, if you're going to execute any old tat through e-mail or a web browser, at least it's readable XML instead of binary as in PIF or LNK files. That's progress!

  3. Anonymous Coward
    Anonymous Coward

    Security for Windows 10

    Lock it up in a secure air-gapped telemetry-proof padded cell in straightjacket because no one who respects their own personal data privacy should be touching it a barge pole.

    1. Rich 11

      Re: Security for Windows 10

      I have just one question: how thick should the concrete be around that padded cell?

      1. Dan 55 Silver badge

        Re: Security for Windows 10

        It should go as far as the inside wall of the heavy lead tank that surrounds everything, no air gaps. MS have got all the details for you.

      2. harmjschoonhoven
        Facepalm

        Re: Security for Windows 10

        May be Rich 11 can take inspiration from my recipe for a safe nuclear powerstation. Encase it in a concrete dome with a radius such that the energy required to build it equals the total output of the powerstation during its lifetime.

  4. Anonymous Coward
    Anonymous Coward

    Bright side

    There might be a bright side to this if this 'exploit' actually allows changing the settings. If it does what is to stop someone working out how to stop the slurp of everything that is done on the machine and reporting it all back to M$ and also giving back control to the owner of the box.

  5. Anonymous Coward
    Windows

    MSFT baaad.

    Thankyou El Reg for another 2-minute hate on MSFT

  6. Anonymous Coward
    Anonymous Coward

    Double edged sword

    Sometimes it can feel that it is too secure (I know that sounds daft )

    I've been trying to get my Dad's laptop unlocked as he has forgotten all his passwords following several strokes. Persuading MSFTs bots that you are legit when you cannot access email accounts, the person doesn't know what phone they used to register the account with, etc is very frustrating. My Dad finds it very distressing. Next steps are to investigate whether I can use my POA to get access.

    Please note this is not a complaint about security.

    Rather, it is a reminder to everyone about the importance of having some way that loved ones can access your digital assets in the event of your incapacity or death.

    1. Roger Kynaston

      Re: Double edged sword

      Lastpass,keepass?

      1. J27

        Re: Double edged sword

        You can even set those up with a biometric unlock. Your father can't forget his fingerprints.

      2. bombastic bob Silver badge
        Devil

        Re: Double edged sword

        keepass works for me, the non-".Not" open source version (KeePassXC) at any rate. Runs great on FreeBSD. I think there's a winders version also.

    2. Anonymous Coward
      Anonymous Coward

      Re: Double edged sword

      you could ofc just add your own administrator account to each machine or do what my mother did and have a note book (paper) of all username/passwords/medicinal dosage/telephone numbers etc.

      When your memory goes, paper is much better than computers

  7. Anonymous Coward
    Anonymous Coward

    Same old story

    Latest windows is more secure than ever.

    We hear this every time, however windows is still a security cesspool compared to everything else out there (Android, iOS, Chrome OS, macos and Linux), which all seem to have security well under control.

    Our store services can remove malware from all of those systems, 99.999% of the time it's Windows, 7/8/10. Historically Microsoft would say it's because windows had the biggest marketshare, but even that's not true anymore (it's no.2, yet no.1 doesn't even register on the malware scale for us, I think we might have had one once)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like