On Monday, researchers at the security company Cylance disclosed an existing vulnerability in all versions of Windows, including the yet-to-be-released Windows 10. The vulnerability enables hackers to steal sensitive users’ information.
The Redirect to SMB Vulnerability
In his blog post, Brian Wallace from Cylance explained:
“Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password.”
Cylance uncovered the Redirect to SMB (server message block) just now while looking for ways to compromise a chat client feature that provides image previews. しかしながら, Redirect to SMB is an extension to the original vulnerability that was first researched by Aaron Spangler in 1997. The original method of attack affected Internet Explorer.
In their Redirect to SMB white paper, Cylance say:
“The premise is simple: trick users into clicking on a link that causes their browser to authenticate with a remote SMB server controlled by an attacker. The result is the attacker obtains the target’s encrypted credentials.”
What’s Affected by Redirect to SMB
According to Brian Wallace, the vulnerability affects:
- Various devices and machines: from any Windows PC to tablets and servers
- Popular Applications: アドビリーダー, Apple QuickTime, and Apple Software Update
- Microsoft Applications: Internet Explorer, Windows Media Player, Excel 2010, and even in Microsoft Baseline Security Analyzer
- Antivirus: Symantec’s Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus
- Security Tools: .NET Reflector, Maltego CE
- Team Tools: Box Sync, TeamViewer
- Developer Tools: Github for Windows, PyCharm, IntelliJ IDEA, PHP Storm, JDK 8u31’s installer
How Redirect to SMB Is Used
According to Brian Wallace, “Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic.” He added, “Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behavior from those displaying the advertising.”