As MSPoweruser reports, the bug was discovered by a group of researchers who documented it in a recent whitepaper. It uses a weakness in SMB, a protocol that allows Windows to open files stored on network shares, to reveal the username and password of the currently-signed-in user.
It manifests itself in a selection of programs new and old. Microsoft Edge, Internet Explorer, Windows Explorer and Microsoft Outlook are known to be affected.
When Windows loads a file from a network share, it sends the active user’s login credentials in plain text to the server. On a local network, this functionality is desired, even if it is insecure. When loading a webpage referencing an image on an attached server, it can be downloaded seamlessly in the background using the Windows logon credentials. The problems occur when the specified server doesn’t actually exist.
In this instance, Windows still tries to load the file, but over the Internet. It transmits the user’s account credentials as if it were connecting to an authorised server, allowing any hacker to intercept the stream of data packets and expose the username and password.
All the attacker needs to do is create a webpage that includes embedded content that loads a resource from a disconnected network share. They could then intercept the transmission of the account details and have immediate access to the username and password.
The attack is much more significant when targeting a Windows 8 or Windows 10 machine. On these operating systems, the usual way to sign in is with a Microsoft account. The account credentials here are the user’s email address and Microsoft account password. By intercepting the SMB connection, a hacker could obtain an easy way to gain full access to a Microsoft account.
The password is sent as a NTMLv2 hash, providing some basic protection. This could be reversed to obtain a usable password, however. Even without the password, active email addresses can be sold online, allowing criminals to use your identity, sign you up to spam mailing lists or send malware to your inbox.
The researchers warned that “virtually any” Windows machine is vulnerable to this attack. They described the scale of the threat as “unprecedented,” suggesting networks block SMB using Windows Firewall until Microsoft manages to release a patch. The team thanked the Microsoft Security Response Center for jointly working on the vulnerability but no update has been released to date.
Besides the firewall block, there are a few other ways to mitigate the effects of the vulnerability. One obvious one is simply not using the SMB functionality, although this won’t be actionable in many environments. SMB is a very widely used protocol that allows computers to load files from servers, regardless of their operating system. Windows’ network share browsing features are powered by SMB, allowing it to connect to and load files from network shares.
A simpler solution is to ensure you have a strong password and that you don’t reuse it across multiple services. This doesn’t solve the issue entirely though. Your email address will still be exposed and hackers could reverse the hash applied to the password. The researchers determined this could be done in a maximum time of 2 days and 5 hours on a fairly average cracking machine.
This is the second decades-old Windows bug to be discovered in just two months. In July, Microsoft patched a 20-year-old flaw in Windows’ printing software that allows hackers to install malware on your computer. The vulnerability had also been present since the days of Windows 95.
With no fix in sight, Windows users should be careful of how they connect to network shares. VPN provider Perfect Privacy has set up a testing site that lets you check whether your PC is leaking your Microsoft account password, allowing you to witness first-hand the potentially devastating impacts of the vulnerability.
