New Login Theft Vulnerability Affects All Versions of Windows
Security researchers at Cylance have recently discovered a new take on an 18-year-old vulnerability that can be used to steal login credentials from any version of Windows. The company’s SPEAR team worked with researchers at Carnegie Mellon University to carefully coordinate the vulnerability’s disclosure. The vulnerability, dubbed “Redirect to SMB,” can be used to exploit software from at least thirty-one major tech companies, including Adobe, Apple, Box, Microsoft, Oracle, and Symantec.
Redirect to SMB
Redirect to SMB builds upon a Windows security flaw discovered in 1997 by researcher Aaron Spangler. Microsoft never fixed the original vulnerability, which helps make Redirect to SMB more effective. The new attack works by tricking applications into allowing Windows to authenticate with a rogue server. Essentially, Redirect to SMB is a man-in-the-middle attack. The old vulnerability could be exploited by simply getting a user to click a malicious link. This would trigger an attempt to authenticate with a rogue server. The server would then log any received usernames and passwords. If the credentials are encrypted, as they commonly are with SMB, they can be brute-forced later, especially since the encryption used by SMB is weak by today’s standards. With Redirect to SMB, however, a hacker doesn’t even need to trick the user into clicking a malicious link. He simply needs to hijack communications between a Windows application, like Windows Update, and the destination server.
Exploiting the vulnerability requires a hacker to have some control over the victim’s network traffic. An example of a sophisticated attack would be to craft a malicious ad that would force authentication attempts from Internet Explorer users. An example of a less sophisticated attack would be to attack a public network such as a shared wifi hotspot at Starbucks.
In a statement to Reuters, Microsoft said the issue wasn’t particularly serious and did not suggest any plans on fixing the vulnerability.
“Several factors would need to converge for a ‘man-in-the-middle’ cyberattack to occur. Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature.”
“There are also features in Windows, such as Extended Protection for Authentication, which enhances existing defenses for handling network connection credentials.”
In the meantime, Cylance suggests using a firewall to block certain outbound traffic to mitigate the issue. More details on Redirect to SMB can be found in the team’s white paper.
Images from Shutterstock.