This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

This is from cert/cc:

We wanted to make sure that you were aware of this recent post: 
https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 


Essentially, .settingcontent-ms files retain the MOTW, but Windows 
doesn't promprt the user before running the file, which can run 
arbitrary commands. 

We've tested that Chrome will download such files as stand-alone files 
if the server provides an application/octet-stream mime type. At this 
point, the user is a single click away from code execution without any 
prompting by Windows. IE and Edge appear to sniff the content and 
ignore the server-provided MIME type, so in those browsers the content 
is just displayed in the browser. 

It would seem that on the Windows side, the MOTW should be enforced 
with such files. And on the Chrome side, perhaps such files should be 
treated as "unsafe" if possible.