Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly

New Security Flaw Spans All Versions Of Windows

Newly found 'forever-day' vulnerability affects 31 popular software programs including applications from Adobe, Apple, Microsoft, Symantec -- and Windows 10 preview.

A security flaw discovered affecting all versions of Windows as well as some 31 software vendors' products including Adobe, Apple, Oracle, and Symantec, was disclosed publicly today.

The so-called "Re-Direct To SMB" vulnerability, found by Cylance SPEAR team researcher Brian Wallace, lets an attacker siphon the encrypted login credentials from Windows PC users. An attacker could do so either via a compromised web server or by wresting control of network traffic and redirecting it to a malicious SMB-based server, where the Windows' users credentials then would be stolen.

The attacker then could crack the credentials in a matter of hours, according to Cylance, and use them to steal data, control the PC, or launch attacks on other parts of the victim machine's network.

A large number of popular applications and developer tools that communicate with the flawed Windows API are affected by the bug, which if exploited could abuse them to leak credentials, including Adobe Reader, Apple QuickTime and Apple iTunes Software Update; Internet Explorer 11, Windows Media Player, Excel 2010, Microsoft Baseline Security Analyzer, Symantec Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus, .NET Reflector, Maltego CE, Box Sync, TeamView, GitHub for Windows, PyCharm, IntelliJ IDEA, PHP Storm, and Oracle JDK 8u31’s installer.

Even the as-yet unreleased Windows 10 preview is vulnerable to the attack. It's basically an extension of a previously found bug discovered in 1997 that allowed an attacker to steal credentials using Windows Server Message Block (SMB), the Windows network protocol for domain and network authentication, file shares, remote administration, and print-sharing. When a Windows machine uses the SMB protocol to access a file share, for example, it authenticates the user's encrypted login credentials with the SMB server.

Microsoft did not patch that bug -- which could be exploited using file:// URI schemes -- but instead initially provided mitigation methods, later adding its Extended Protection for Authentication feature for Windows. But Wallace says Windows machines are still vulnerable to that older attack if they don't change the default settings in the operating system to the workaround.

Wallace and his team say this is a so-called "forever-day" vulnerability because it remains alive and well:  In the latest iteration of the attack found by Wallace, bad guys could intercept HTTP/HTTPS requests by browsers and applications, including application updates and online advertisements. Some of these attacks could occur via man-in-the-middle exploits.

Microsoft did not release a patch for the latest flaw today, noting that such an attack would require several elements to pull off successfully: "Several factors would need to converge for a 'man-in-the-middle' cyberattack to occur," a Microsoft spokesperson said. "Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature. There are also features in Windows, such as Extended Protection for Authentication, which enhances existing defenses for handling network connection credentials."

Wallace says the bug is actually located in two places:  one, in the known flaw in how Windows connects to SMB, and another, in the Windows API library. "The applications [affected by the bug] either use the library provided by Windows that allows for this redirect … Or in some cases, the application implements functionality that causes the issue," such as redirecting from HTTP to loading files on a file system, he says, which gives the attacker a way to steal information.

HD Moore, chief research officer at Rapid7 and creator of Metasploit, says the attack puts Windows clients at risk on untrusted or compromised networks. "Exploiting SMB connections for hash capture and relay usually requires some action on the user's part, such as opening an email or clicking a link," he explains. "Non-interactive attacks would attacks would be [limited] to exploiting some kind of saved SMB configuration, such as a network printer or file share."

How difficult would it be for an attacker to pull off?  "It depends" on the attacker, Cylance's Wallace says. "It could be launched against IE users with malvertising" or Web injection attacks that redirect the user to the malicious SMB server, or in more targeted scenarios, via a MITM attack, he says.

iTunes Attack

Apple's Software Updater for iTunes, for instance, is vulnerable to this attack via MITM. An attacker would have to have compromised the DNS record of Apple and redirect update requests to a malicious SMB server. When the updater program checks for a new version via HTTP, an attacker controlling that connection would redirect the client machine to the malicious SMB server and try to authenticate to it.

Wallace--who says this issue rates as a 7 out of 10, with 10 being the most critical-- says he hasn't seen any signs of Redirect to SMB attacks to date. The simplest way to defend against it now is to block TCP 139 and 445 ports, he says, which basically disables SMB communications. Microsoft also has a Group Policy setting to prevent such an attack, but he says it's not clear in the documentation.

Rapid7's Moore notes that the Metasploit, KARMA, and Responder.py tools each have exploits for the original SMB attack, but they rely on the user to make an SMB connection to the attacker. He tested the new attack on a Windows 8.1 ASUS laptop. "At least 50 different HTTP connections were made after a restart and within the first five minutes," Moore says. Most of the connections--including application updaters and weather and news services--could be hijacked by an attacker on the network and would then force the victim's machine to authenticate to a malicious service, he says.

Wallace and the Cylance SPEAR team reported the flaw to Carnegie Mellon CERT, which notified the affected vendors and was set to issue an advisory today

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.