Pinterest Stumbleupon Whatsapp
Ads by Google

What would you say if we told you that your version of Windows is affected by a vulnerability Should Google Announce Vulnerabilities Before They Have Been Patched? Should Google Announce Vulnerabilities Before They Have Been Patched? Whyis Google reporting vulnerabilities in Microsoft Windows? Is this Google's way of teaching their competition to be more efficient? What about the users? Is Google's strict adherence to deadlines in our best interest? Read More that dates back to 1997? You’d laugh, right? Surely, after all, Microsoft would have patched the fault prior to releasing Windows 98, or at the latest, Windows 2000?

Well, not quite.

This Redirect to SMB vulnerability has its roots in the identically-named attack discovered by Aaron Spangler 18 years ago. And it’s a problem that you need to do something about, because it doesn’t only affect Windows, but also programs from Adobe, Apple, Symantec and even the Windows 10 preview.

Redirect to SMB: What Does it Do?

Affecting Windows PCs, tablets and servers, Redirect to SMB – discovered by Cylance’s Brian Wallace – is a development of the original vulnerability.

In 1997, Spangler found that introducing URLS beginning “file” would cause Windows to attempt authentication with an SMB server at the given IP address (for example, file://1.1.1.1), which could then be used to record login credentials. These URLs could be introduced as images, iframes, or any other media displayed by the browser.

muo-security-smb-password-theft

Ads by Google

SMB is the Server Message Block protocol, mostly used for sharing files, printers, and serial ports on a network. Various versions have been released over the years, (Samba is an open source Open Source Software and Forking: The Good, The Great and The Ugly Open Source Software and Forking: The Good, The Great and The Ugly Sometimes, the end-user benefits greatly from forks. Sometimes, the fork is done under a shroud of anger, hatred and animosity. Let's look at some examples. Read More implementation, although there is no suggestion that the vulnerability exists there) and it has long been a target, with real-time scanning demonstrating that SMB is one of the most popular attack vectors for online intruders. It was reported in December that the Sony Pictures hack was performed using an SMB vulnerability.

Redirect to SMB was uncovered by the Cylance team as they investigated ways to abuse a chat client.

“When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server.

“We created an HTTP server in Python that answered every request with a simple HTTP 302 status code to redirect clients to a file:// URL, and using that we were able to confirm that an http:// URL could lead to an authentication attempt from the OS.”

It doesn’t take much to prompt someone to enter their credentials, after all – just a legitimate-looking dialogue box.

How Redirect to SMB Might Be Used Against You

Four Windows API functions can be used to redirect a HTTP or HTTPS connection What Is HTTPS & How To Enable Secure Connections Per Default What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More to an SMB connection, where a malicious server may await to siphon away user credentials, and reuse them for nefarious purposes.

Brian Wallace explains that for Redirect to SMB to be successful, the attacker must be reasonably advanced as there is a requirement to “control… some component of a victim’s network traffic.”

He also points out that the threats can come in the shape of malicious adverts forcing authentication attempts, and Redirect to SMB can also be used in a drive by hack on public Wi-Fi networks (dangerous at the best of times 3 Dangers Of Logging On To Public Wi-Fi 3 Dangers Of Logging On To Public Wi-Fi You've heard that you shouldn't open PayPal, your bank account and possibly even your email while using public WiFi. But what are the actual risks? Read More ), launched from a portable computer, and even an Android smartphone.

Potentially one of the most dangerous attack vectors unleashed by Redirect to SMB is via Apple’s iTunes Software Updater. In this scenario, a compromised DNS record How To Change Your DNS Servers & Improve Internet Security How To Change Your DNS Servers & Improve Internet Security Imagine this - you wake up one beautiful morning, pour yourself a cup of coffee, and then sit down at your computer to get started with your work for the day. Before you actually get... Read More could lead to redirect updates being directed to an SMB server, again with the result that credentials are farmed via a classic Man-In-The-Middle attack What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon Explained Read More .

Put simply, this is a vulnerability that should have been closed 18 years ago. While Microsoft offered ways to mitigate it then, the opposition – the black hats – have become far more sophisticated in their attacks, with more and more Internet users representing a big pay day. Now would seem to be the time for Microsoft to get its act together on SMB security.

Software Affected by Re-Direct to SMB

Okay, it’s deep breath time. As well as every version of Windows the mid-1990s, Redirect to SMB also affects a wide selection of applications and system utilities (at least 31) from some of the biggest names in the industry. To begin, Microsoft and Apple.

Microsoft:

  • Internet Explorer 11
  • Windows Media Player
  • Excel 2010
  • Microsoft Baseline Security Analyzer

Apple:

  • QuickTime
  • Apple iTunes Software Update

Frustratingly for a vulnerability of this kind, security software is also affected.

  • Symantec Norton Security Scan
  • AVG Free
  • BitDefender Free
  • Comodo Antivirus

Productivity apps that are known to be vulnerable to Redirect to SMB:

muo-security-smb-password-boxsync

These utilities and installers are also affected:

  • .NET Reflector
  • Maltego CE
  • GitHub for Windows
  • PyCharm
  • IntelliJ IDEA
  • PHP Storm
  • Oracle JDK 8u31’s installer

As you can see, this is quite a list, with every application a potential gateway to your credentials for an attacker. But what can you do about it?

Workaround, or Wait for a Patch?

Microsoft is said to be working on a patch to fix the Redirect to SMB vulnerability. But until that happens, what can you do?

muo-security-smb-password-windows-firewall

As reported by cybersecurity experts Cylance, the best fix is to block traffic sent outbound from your computer through your software firewall or through your router, on TCP 139 and TCP 445. This will block SMB communication between your network and the Internet, and if the change is made on the network firewall, you will still be able to use SMB between devices on your local network. Our guide to the Windows Firewall explains how to create these rules Windows 7 Firewall: How It Compares Against Other Firewalls Windows 7 Firewall: How It Compares Against Other Firewalls Windows 7 contains an unobtrusive, easy-to-use firewall that protects your computer from inbound traffic. If you're looking for more advanced options, such as the ability to control outbound traffic or view the applications using your... Read More in just a few seconds; for your router, you’ll need to check the device documentation.

Given the breadth of operating systems and applications affected by this vulnerability, and with the impending arrival of Windows 10, isn’t it about time Microsoft did something about it?

Image Credits: Password via Shutterstock

  1. rk
    April 23, 2015 at 7:28 pm

    I understand this article for the most part. I have a wireless router which is supposed to act as a firewall, am I mistaken? If so, what if anything do I need to do on the hardware router to make it act as a firewall? The article talks about blocking all traffic between my PC and the internet. Wouldn't that prevent me from uploading data to a site say pics for example? Pardon the novice questions but any clear explanation/advice is appreciated. Thanks.

    • Christian Cawley
      April 27, 2015 at 6:49 pm

      What you would need to do is block as specified in the Workaround section. Thhere was no mention of blocking all traffic, as that would, as you say, prvent you doing anything online.

      Now, your router should be acting as a firewall, but you would need to login to it to check. Usually, the default credentials are printed on the router, or in the documentation How you might apply the block depends on your router; the interfaces are different across different devices, which is why I didn't give explicit instructions here.

  2. John Williams
    April 20, 2015 at 11:33 pm

    Feeling quite smug now. I don't use a single one of the programs in the vulnerable list ....

  3. Blade
    April 20, 2015 at 1:31 pm

    I don't have time to build a test, but I suspect one could turn off the option to use URLs as files, and that would mitigate it to some degree.

  4. Steve
    April 20, 2015 at 1:27 pm

    Get yourself a Mac or Linux box. This is just one more reason.

    • Alan P
      April 20, 2015 at 10:00 pm

      smb also is alive and well (ish) in OSX too

    • Steve
      April 21, 2015 at 1:25 am

      No the bug does not affect OSX. Every version of Windows is affected however. QuickTime and iTunes download are affected but not OSX. Apparently you believe OSX is the same as QuickTime or iTunes download! Like I said, with all security matters on a computer you're always better off with either OS X or Linux. Anyone that tells you it's just because these oss are less used is drinking the kool-aide.

  5. Sam
    April 18, 2015 at 12:14 pm

    So what was Microsoft's (and the other companies) excuses for not fixing the known bug? Journo? Anyone put the question to them?

    • Billy Gates
      April 19, 2015 at 9:39 pm

      Lets all blame Microsoft when these other companies have the same vulnerability. Typical faggots.

  6. GuynotGuy
    April 17, 2015 at 2:44 pm

    The only secure windows OS is an unplugged windows OS

  7. Ziaur Rahman
    April 17, 2015 at 11:54 am

    Windoes never be safe past, present & future.

  8. John Smith
    April 16, 2015 at 9:37 pm

    Dang,

    I have :
    QuickTime
    Apple iTunes Software Update
    Symantec Norton Security Scan
    NET Reflector
    GitHub for Windows
    PyCharm
    IntelliJ IDEA

    Guess I'll need to find some way to block SMB traffic. :(

    • GWB1
      April 21, 2015 at 4:45 pm

      TCP Block

  9. DonGateley
    April 16, 2015 at 6:51 pm

    If I understand your summary, changing the Windows firewall on my computer will block all SMB traffic and thus all network drives so one must use a firewall that directly faces the internet behind which a LAN operates. Like a router with a firewall.

    Is that correct or does blocking those ports locally to a machine still allow SMB on the local network?

    • Computer Wizard
      April 17, 2015 at 4:19 am

      I think the author meant the router's firewall, NOT the Windows one... to allow local network to share but NOT the Internet...

    • DonGateley
      April 17, 2015 at 4:50 am

      Thanks. That was my take away too but I wanted to be sure before going looking for a new router that has one.

Leave a Reply

Your email address will not be published. Required fields are marked *