Security researchers have uncovered a variant of an 18 year old vulnerability in all versions of Windows – including technical previews of Windows 10 – that could be exploited to steal sensitive login credentials from a number of popular applications.
‘Redirect to SMB’ is susceptible to man-in-the-middle attack which tricks applications into allowing Windows to authenticate with a hacker controlled server. The vulnerability was first discovered in 1997 by researcher Aaron Spangler and Microsoft did not issue a patch.
Spangler found that a URL beginning with the world “file” and followed by an IP address would cause the operating system to authenticating with a server message block (SMB) server at that IP.
Cylance found four susceptible common API functions used by some of the world’s most popular software, including Adobe Reader; Apple QuickTime and Apple Software Update for iTunes; Box’s Sync client; Symantec’s Norton Security Scan; and Microsoft’s Internet Explorer 11, Excel 2010 and Windows Media Player.
Although user credentials sent to legitimate SMB servers are encrypted, the method employed was designed in 1998 and easy to decode in 2015.
“A stronger hashing algorithm being used on these credentials would decrease the impact of this issue, but not as much as disabling automatic authentication with untrusted SMB servers,” said the researchers. “With roughly $3,000 worth of GPUs, an attacker could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day.”
Cylance has spent six weeks working with CERT at Carnegie Mellon University to coordinate the disclosure of the new vulnerability, allowing the affected vendors to fix or mitigate the bug. Until Microsoft fixes it itself, it is recommended that users block outbound traffic from TCP 139 and TCP 445 at either the endpoint firewall or the network gateway firewall, if using a trusted network.
Other mitigations are available in a whitepaper published by the security firm.
“The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network,” explained Cylance.
“Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack.”
Take our Microsoft quiz here!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…