A serious security hole leaves millions of Windows users open to attack, making it possible to extract encrypted credentials from a target machine.
Researchers at Cylance say the problem affects "any Windows PC, tablet or server" (including Windows 10) and is a slight progression of the Redirect to SMB attack discovered by Aaron Spangler way back in 1997.
Redirect to SMB is essentially a man-in-the-middle attack which involves taking control of a network connection. As the name suggests, victims are then redirected to a malicious SMB server which can extract usernames, domains and passwords.
Cylance also reports that software from companies such as Adobe, Oracle and Symantec - including security and antivirus tools - are affected.
In a blog post, Brian Wallace explains that Cylance has spent the last month and half working with vendors to help fix the problem, but has now decided to make details of the vulnerability public. A technical white paper explains how the original Redirect to SMB attack worked by sending a URL in the form file://18.104.22.168 - this would cause Windows to connect to a malicious SMB server at 22.214.171.124, attempt to authenticate, and essentially hand over security credentials.
Cylance found no fewer than four Windows API functions that can be used to redirect a user from an HTTP or HTTPS connection to a malicious SMB server. The forced authentication makes it relatively easy to get hold of usernames and passwords, even if they are held in encrypted form.
As well as Windows itself, other programs affected by the problem include AVG Free, Internet Explorer, Windows Media Player, BitDefender Free, TeamViewer, and Github for Windows.
Wallace points out that:
Although Microsoft is still to release a patch for the security flaw, Cylance suggests a workaround. By blocking outbound traffic from TCP 139 and TCP 445 you can put an obstacle in the way of authentication attempts that originate outside of your network while retaining SMB capabilities within it.