Cylance Researchers have discovered a major vulnerability in Windows Operating System. A new technique has been found for stealing login credentials from any Windows System, tablet or even Server. All Major versions of the OS are affected including the yet to release Windows 10. The software products from 31 companies are said to be affected by this vulnerability, which marks Adobe, Apple, Box, Microsoft, Oracle and Symantec on the line.

The Vulnerability

Redirect to SMB vulnerability allows attackers to steal sensitive user credentials by hijacking communications with legitimate web servers via MITM (man-in-the-middle) attack, then sending them to malicious SMB (server message block) servers that force them to spit out the victims username, domain and hashed password.

18-year old Bug

In 1997, Aaron Spangler revealed a flaw in Internet Explorer, that allowed an attacker to act as a man in the middle and send victim a url (using iframe, image, or any other web resource resolved by the browser) starting with "file" (such as file://121.2.3.4/). When the victim clicks this url, it authenticates to attacker's SMB Server without any authentication, and thus the attacker gains control of the victim's system and steal credentials. This can be dangerous! The stolen credentials can be used anyway. Microsoft never considered patching this vulnerability reported by Aaron and thus the bug prevailed for 18 long years.

Cylance researchers stumbled upon this vulnerability while testing ways to penetrate a chat client feature that features image previews.

How this bug turned out to be Larger than Earlier?

This HTTP/HTTPS to SMB Redirection turns out to be a major flaw and affects larger cyberspace than previously found. Since Windows API functions allow this redirection, hence the area increased manifolds. Four major commonly used Windows API Functions were identified and reported to the vendors.

Affected Vendors and their Products

A total of 31 vulnerable software packages were discovered and reported by Cylance. They include:

Widely Used Applications:

Adobe Reader, Apple QuickTime and Apple Software Update (which handles the updating for iTunes)

Microsoft Applications:

Internet Explorer, Windows Media Player, Excel 2010, and even in Microsoft Baseline Security Analyzer

Antivirus:

Symantecs Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus

Security Tools:

.NET Reflector, Maltego CE

Team Tools:

Box Sync, TeamViewer

Developer Tools:

Github for Windows, PyCharm, IntelliJ IDEA, PHP Storm, JDK 8u31s installer

Mitigation

According to Cylance, Microsoft will release a patch to fix the Redirect to SMB vulnerability but for the time being, users can block outbound traffic from TCP 139 and TCP 445 -- either at the endpoint firewall or at the network gateways firewall (assuming you are on a trusted network). The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateways firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network. For more Mitigation measures, you can follow the report published by Cylance.