P.S. this bypasses Mark of web, despite there being a alternative data stream clearly marking the file as coming from internet, it still does not display any warning prior to execution.

I'm sure you can get arbitrary code execution with just the stuff that's installed by default on Windows. So, definitely want this on the dangerous list. Thanks for the report! vakh, you want this one?

This looks like the original report: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

Thanks for reporting it to us!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2825a8e860b1d2f14d187be5fdf6b8e1f479e81d

commit 2825a8e860b1d2f14d187be5fdf6b8e1f479e81d
Author: Varun Khaneja <vakh@chromium.org>
Date: Tue Jun 12 05:32:44 2018

Send pings when users download .settingcontent-ms files

Bug:  851528 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I950fe0b3241d1cff134957929f76eb3f1fb8b483
Reviewed-on: https://chromium-review.googlesource.com/1096342
Commit-Queue: Varun Khaneja <vakh@chromium.org>
Reviewed-by: David Trainor <dtrainor@chromium.org>
Reviewed-by: Jialiu Lin <jialiul@chromium.org>
Cr-Commit-Position: refs/heads/master@{#566328}
[modify] https://crrev.com/2825a8e860b1d2f14d187be5fdf6b8e1f479e81d/chrome/browser/resources/safe_browsing/download_file_types.asciipb
[modify] https://crrev.com/2825a8e860b1d2f14d187be5fdf6b8e1f479e81d/components/download/internal/common/download_stats.cc
[modify] https://crrev.com/2825a8e860b1d2f14d187be5fdf6b8e1f479e81d/tools/metrics/histograms/enums.xml

 Issue 851860  has been merged into this issue.

 Issue 851801  has been merged into this issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot