Now Reading
An old SMB security flaw is back to haunt Windows, and could affect any version of Windows
0

An old SMB security flaw is back to haunt Windows, and could affect any version of Windows

by AshwinApril 14, 2015

A security vulnerability has been found in Windows, and it is one which could be used by hackers to steal the login credentials of users.

Cylance-RedirectToSMB-Diagram

The flaw is called “Redirect to SMB”, and has been found by Cylance, a security research firm.

SMB stands for Server Message Block, and is a network file sharing protocol, used to access files stored on a server, across a network of computers.

The flaw in question, isn’t actually a new vulnerability at all. It was originally discovered 18 years ago, by Aaron Spangler in 1997. And guess what? It was never patched.

What is the Redirect to SMB vulnerability?

Basically, its like this. When any malicious url beginning with the word “file://” and followed by a link is clicked upon or is manually input by the user, Windows authenticates (assuming that the user wants to access a file) a request to an SMB server, and provides the user’s login credentials to the server. Note that the authentication is done automatically without any prompts to the user.

This is where the flaw occurs, because the server isn’t a real one, but one manipulated by a hacker.

An attacker could thus obtain the user’s credentials, by hacking the communication with the server, and redirecting them to a malicious SMB. This would give them the username, domain and hashed password of the victim. The stolen user data could then be used for malicious purposes by the attacker.

If you think that encrypted credentials should be safe. Well, the answer is no. “An attacker with a high end GPU can crack an 8 character password which contains letters and numbers, within half a day”, says Cylance in a blog post.

The vulnerability affects a lot of popular Windows applications (31 in total) which includes Adobe Reader, Apple QuickTime, Internet Explorer, Windows Media Player.  Even Antivirus software aren’t safe as Symantec’s Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus all suffer from this security flaw.

CNET reports that Microsoft isn’t concerned in the least about this, and dismissed reports about the flaw being a high-risk. This is what they had to say:

“We don’t agree with Cylance’s claims of a new attack type. Cybercriminals continue to be engaged in a number of nefarious tactics,” a Microsoft spokesperson said. “However, several factors would need to come together for this type of cyberattack to work, such as success in luring a person to enter information into a fake website. We encourage people to avoid opening links in emails from senders that they don’t recognize or visiting unsecure sites.”

I feel compelled to cite the obvious here ” Well Microsoft, that isn’t comforting one bit”. You had almost two decades to fix it, and you didn’t.

Leave a Response