New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 851528 link

Starred by 3 users

Issue metadata

Status: Fixed
Closed: Jun 2018
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug

Participants' hotlists:

Sign in to add a comment

Security: SettingContent-ms extension bypasses 'dangerous file' prompt leading to WebExt RCE

Reported by, Jun 11 2018

Issue description

SettingContent-ms is a new windows 10 extension that can be used to execute arbitrary local files with parameters.

Chrome Version: latest stable
Operating System: windows 10

Download attached SettingContent-ms file, or install attached extension for RCE.

Please CC, he found the file and wrote about it an hour ago and I just so happen stumbled upon it and connected the dots.

1.4 KB Download
749 bytes Download
P.S. this bypasses Mark of web, despite there being a alternative data stream clearly marking the file as coming from internet, it still does not display any warning prior to execution.

Comment 2 by, Jun 11 2018

Components: UI>Browser>Downloads Services>Safebrowsing
Labels: M-68 Security_Impact-Beta Security_Severity-Low OS-Windows Pri-2
Status: Assigned (was: Unconfirmed)
I'm sure you can get arbitrary code execution with just the stuff that's installed by default on Windows. So, definitely want this on the dangerous list. Thanks for the report! vakh, you want this one?

Comment 3 by, Jun 11 2018

Status: Started (was: Assigned)

Comment 4 by, Jun 11 2018

This looks like the original report:

Thanks for reporting it to us!
Project Member

Comment 5 by, Jun 12 2018

The following revision refers to this bug:

commit 2825a8e860b1d2f14d187be5fdf6b8e1f479e81d
Author: Varun Khaneja <>
Date: Tue Jun 12 05:32:44 2018

Send pings when users download .settingcontent-ms files

Bug:  851528 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I950fe0b3241d1cff134957929f76eb3f1fb8b483
Commit-Queue: Varun Khaneja <>
Reviewed-by: David Trainor <>
Reviewed-by: Jialiu Lin <>
Cr-Commit-Position: refs/heads/master@{#566328}

Comment 6 by, Jun 12 2018

 Issue 851860  has been merged into this issue.

Comment 7 by, Jun 12 2018

 Issue 851801  has been merged into this issue.

Comment 8 by, Jun 15 2018

Status: Fixed (was: Started)
Project Member

Comment 9 by, Jun 16 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel

Comment 11 by, Jun 20 2018

Components: -Services>Safebrowsing Services>Safebrowsing>VRP
Labels: -Type-Bug-Security Type-Bug

Comment 12 by, Jun 20 2018

Labels: reward-0
Labels: -reward-topanel
Project Member

Comment 14 by, Sep 22

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment