Computer security researchers have uncovered a new flaw in Microsoft Windows operating system dubbed ‘Redirect to SMB,’ which could be exploited by hackers to steal sensitive login credentials from any device running Windows 8.1 or earlier.
According to the SPEAR (Sophisticated Penetration Exploitation And Research) team at California-based cybersecurity firm Cylance, the Windows vulnerability “Redirect to SMB” exposes the user’s Windows username and password automatically when a user clicks on a malicious link or URL that connects a system to a server controlled by the attackers. The encrypted username and password combinations used to access the server could be logged and easily cracked by the hackers.
Cylance warned that the flaw could be exploited even without clicking a link, such as through a man-in-the-middle attack by a background Windows program, like a software updater. At least 31 companies, including Adobe, Apple and Oracle are susceptible to the SMB flaw.
“‘Redirect to SMB’ is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password,” Cylance’s Brian Wallace stated in a blog on the company’s website.
Researchers claim that the vulnerability was first noted in research done by Aaron Spangler in 1997.
“We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews. When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server.”
In response, Microsoft said the threat posed by the purported weakness was not as great as exaggerated by Cylance.
“Several factors would need to converge for a ‘man-in-the-middle’ cyberattack to occur. Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature,” said Microsoft in an emailed statement.
“There are also features in Windows, such as Extended Protection for Authentication, which enhances existing defenses for handling network connection credentials.”
Microsoft has not stated if or when a patch would arrive.
Meanwhile, the CERT unit of the Software Engineering Institute at Carnegie Mellon University, a federally funded body which tracks computer bugs and internet security issues, issued an advisory on Monday, warning that it was unaware of a full solution to the problem.