There’s a Microsoft vulnerability that, while not entirely new, has been brought to public attention again lately. This week Cylance, a cyber security company, published an article about the latest Microsoft software that’s vulnerable to a particular type of attack first discovered in 1997. The attack is known as the “Redirect to SMB” attack.
Here’s how the attack works. (There are helpful diagrams if you click the earlier link to Cylance’s site.)
The victim is given a URL of the “file://” type, like “file://192.168.1.1”. When the victim visits the link using a vulnerable program like Internet Explorer, Windows Media Player, Adobe Reader, or even Apple Software Update, Windows will attempt to download the file using the SMB file-sharing protocol. It will also attempt to authenticate with the file server using the Microsoft user’s credentials. That’s the meat of the attack – once a vulnerable program reaches the attacking URL, the credentials are immediately given over to the attacker, without any prompt.
That’s not good. However, there are some mitigating factors.
- The credentials are encrypted, so an attacker won’t immediately have your plain text Windows username and password, even if you fall victim to this type of attack. However, encryption can be cracked given some time, so you should immediately update your username and password if you think you’ve been compromised
- The attack doesn’t work if you don’t visit a suspicious link. So, don’t click suspicious links
- If your network is already compromised at some other point, your traffic to an innocent link could be hijacked, but this is only a threat if you’re on an insecure network already
The best way to avoid this type of attack is to browse the Internet on secure networks, visit trusted links only, and use secure applications.
By Sharon Campbell