• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

protection from .settingcontent-ms filetype abuse

I see a worrying article from Matt Nelson, in the Specter Ops site below, about the .SettingContent-ms filetype. His research has revealed that is is extremely easy to bypass the Attack Surface Reduction (ASR) rules.

Although Microsoft introduced Attack Surface Reduction (ASR) rules into Windows 10, it requires Windows Defender AV as a dependency. This means that if you have another registered AV installed (e.g. Norton Security), then the ASR rules that WOULD OTHERWISE be handled by Defender, are now dependent on the 3rd-party AV taking on the ASR role instead.

My question is:

Will Norton Security protect my system from the scenarios posted in the article (either with ANY of the "triple" command strings used that executes a file already on the system, or with the method whereby a user is tricked into clicking on a link that merely CONTAINS a crafted .SettingContent-ms file, that appears to run unchallenged). My version is: 22.15.0.88.

https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

NOTE: I posted this 1 month and 1 day ago, and just found that after waiting for that time for the Norton Support tagged guys to answer, the thread was closed WITHOUT AN ANSWER. This is not acceptable, and have had to spend more time creating a new thread to report the same thing. I feel I have wasted my time in trying to report an important vulnerability, and need to know how I stand with my purchased AV product from Norton.

Replies

Kudos0

Re: protection from .settingcontent-ms filetype abuse

A little bit of knowledge is... well a little bit of knowledge.
Accepted Solution
Kudos2 Stats

Re: protection from .settingcontent-ms filetype abuse

From the bottom of your link to specterops, the vulnerability has been fixed. 

[UPDATE] 8/14/2018: MSRC fixed the issue CVE-2018–8414 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414)

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: protection from .settingcontent-ms filetype abuse

Hello @peterweb - many thanks for the quick reply. This DOES indeed look like it is now fixed with an August Windows Update, that is now validating paths with this file type. I have the KB4343909 update loaded on one of my systems, I will check the others.

I looked at the update details, and it is strange (but probably expected with secutiy fixes) that this particular fix, or even the generic "security update to program x" is not mentioned anywhere. Hopefully Microsoft HAVE indeed fixed this oversight, so I will mark it as resolved.

Kudos0

Re: protection from .settingcontent-ms filetype abuse

MS is unlikely to give specific details on a vulnerability. As we know, may users do not accept all Windows updates. No need to give the bad guys a tutorial on how to attack a non updated system.

Things happen. Export/Backup your Norton Password Manager data.

This thread is closed from further comment. Please visit the forum to start a new thread.