Now Reading
New Login Theft Vulnerability Affects All Versions of Windows

New Login Theft Vulnerability Affects All Versions of Windows

by Neil SardesaiApril 15, 2015

Security researchers at Cylance have recently discovered a new take on an 18-year-old vulnerability that can be used to steal login credentials from any version of Windows. The company’s SPEAR team worked with researchers at Carnegie Mellon University to carefully coordinate the vulnerability’s disclosure. The vulnerability, dubbed “Redirect to SMB,” can be used to exploit software from at least thirty-one major tech companies, including Adobe, Apple, Box, Microsoft, Oracle, and Symantec. 

Redirect to SMB

New Login Theft Vulnerability Affects All Versions of WindowsRedirect to SMB builds upon a Windows security flaw discovered in 1997 by researcher Aaron Spangler. Microsoft never fixed the original vulnerability, which helps make Redirect to SMB more effective. The new attack works by tricking applications into allowing Windows to authenticate with a rogue server. Essentially, Redirect to SMB is a man-in-the-middle attack. The old vulnerability could be exploited by simply getting a user to click a malicious link. This would trigger an attempt to authenticate with a rogue server. The server would then log any received usernames and passwords. If the credentials are encrypted, as they commonly are with SMB, they can be brute-forced later, especially since the encryption used by SMB is weak by today’s standards. With Redirect to SMB, however, a hacker doesn’t even need to trick the user into clicking a malicious link. He simply needs to hijack communications between a Windows application, like Windows Update, and the destination server.

The Attack

Exploiting the vulnerability requires a hacker to have some control over the victim’s network traffic. An example of a sophisticated attack would be to craft a malicious ad that would force authentication attempts from Internet Explorer users. An example of a less sophisticated attack would be to attack a public network such as a shared wifi hotspot at Starbucks.

Microsoft’s Response

In a statement to Reuters, Microsoft said the issue wasn’t particularly serious and did not suggest any plans on fixing the vulnerability.

“Several factors would need to converge for a ‘man-in-the-middle’ cyberattack to occur. Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature.”

“There are also features in Windows, such as Extended Protection for Authentication, which enhances existing defenses for handling network connection credentials.”

In the meantime, Cylance suggests using a firewall to block certain outbound traffic to mitigate the issue. More details on Redirect to SMB can be found in the team’s white paper.

Images from Shutterstock.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • Yet another vulnerability in the software the government uses to hack us, no surprise here at all. Windows is completely compromised. They do the bidding of the government and they are closed source. Who know how many backdoors are in Windows and other closed-source products.