What would you say if we told you that your version of Windows is affected by a vulnerability that dates back to 1997? You’d laugh, right? Surely, after all, Microsoft would have patched the fault prior to releasing Windows 98, or at the latest, Windows 2000?
Well, not quite.
This Redirect to SMB vulnerability has its roots in the identically-named attack discovered by Aaron Spangler 18 years ago. And it’s a problem that you need to do something about, because it doesn’t only affect Windows, but also programs from Adobe, Apple, Symantec and even the Windows 10 preview.
Redirect to SMB: What Does it Do?
Affecting Windows PCs, tablets and servers, Redirect to SMB – discovered by Cylance’s Brian Wallace – is a development of the original vulnerability.
In 1997, Spangler found that introducing URLS beginning “file” would cause Windows to attempt authentication with an SMB server at the given IP address (for example, file://126.96.36.199), which could then be used to record login credentials. These URLs could be introduced as images, iframes, or any other media displayed by the browser.
SMB is the Server Message Block protocol, mostly used for sharing files, printers, and serial ports on a network. Various versions have been released over the years, (Samba is an open source implementation, although there is no suggestion that the vulnerability exists there) and it has long been a target, with real-time scanning demonstrating that SMB is one of the most popular attack vectors for online intruders. It was reported in December that the Sony Pictures hack was performed using an SMB vulnerability.
Redirect to SMB was uncovered by the Cylance team as they investigated ways to abuse a chat client.
“When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server.
“We created an HTTP server in Python that answered every request with a simple HTTP 302 status code to redirect clients to a file:// URL, and using that we were able to confirm that an http:// URL could lead to an authentication attempt from the OS.”
It doesn’t take much to prompt someone to enter their credentials, after all – just a legitimate-looking dialogue box.
How Redirect to SMB Might Be Used Against You
Four Windows API functions can be used to redirect a HTTP or HTTPS connection to an SMB connection, where a malicious server may await to siphon away user credentials, and reuse them for nefarious purposes.
Brian Wallace explains that for Redirect to SMB to be successful, the attacker must be reasonably advanced as there is a requirement to “control… some component of a victim’s network traffic.”
He also points out that the threats can come in the shape of malicious adverts forcing authentication attempts, and Redirect to SMB can also be used in a drive by hack on public Wi-Fi networks (dangerous at the best of times), launched from a portable computer, and even an Android smartphone.
Potentially one of the most dangerous attack vectors unleashed by Redirect to SMB is via Apple’s iTunes Software Updater. In this scenario, a compromised DNS record could lead to redirect updates being directed to an SMB server, again with the result that credentials are farmed via a classic Man-In-The-Middle attack.
Put simply, this is a vulnerability that should have been closed 18 years ago. While Microsoft offered ways to mitigate it then, the opposition – the black hats – have become far more sophisticated in their attacks, with more and more Internet users representing a big pay day. Now would seem to be the time for Microsoft to get its act together on SMB security.
Software Affected by Re-Direct to SMB
Okay, it’s deep breath time. As well as every version of Windows the mid-1990s, Redirect to SMB also affects a wide selection of applications and system utilities (at least 31) from some of the biggest names in the industry. To begin, Microsoft and Apple.
- Internet Explorer 11
- Windows Media Player
- Excel 2010
- Microsoft Baseline Security Analyzer
- Apple iTunes Software Update
Frustratingly for a vulnerability of this kind, security software is also affected.
- Symantec Norton Security Scan
- AVG Free
- BitDefender Free
- Comodo Antivirus
Productivity apps that are known to be vulnerable to Redirect to SMB:
- Adobe Reader
- Box Sync (the Box.net cloud client app)
These utilities and installers are also affected:
- .NET Reflector
- Maltego CE
- GitHub for Windows
- IntelliJ IDEA
- PHP Storm
- Oracle JDK 8u31’s installer
As you can see, this is quite a list, with every application a potential gateway to your credentials for an attacker. But what can you do about it?
Workaround, or Wait for a Patch?
Microsoft is said to be working on a patch to fix the Redirect to SMB vulnerability. But until that happens, what can you do?
As reported by cybersecurity experts Cylance, the best fix is to block traffic sent outbound from your computer through your software firewall or through your router, on TCP 139 and TCP 445. This will block SMB communication between your network and the Internet, and if the change is made on the network firewall, you will still be able to use SMB between devices on your local network. Our guide to the Windows Firewall explains how to create these rules in just a few seconds; for your router, you’ll need to check the device documentation.
Given the breadth of operating systems and applications affected by this vulnerability, and with the impending arrival of Windows 10, isn’t it about time Microsoft did something about it?
Image Credits: Password via Shutterstock