14 DAY TRIAL // A security flaw uncovered by Cylance allows hackers to steal usernames and passwords from computers running any Windows version currently on the market, including the Windows 10 Technical Preview that’s technically not available for consumers right now.
In a blog post detailing the issue, Cylance writes that not only Microsoft’s applications are affected but also software developed by 30 other companies, including Symantec, Adobe, and Apple.
The exploit is possible with the help of a malicious link that the attacker is sending to the victim. Once the link is loaded on a vulnerable computer, authentication is performed without any prompt, so cybercriminals get users’ login credentials without any warning.
The security firm calls this method “redirect to SMB” and describes it as a way “for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password.”
Several Microsoft apps affected
Right now, the vulnerability list includes several Microsoft applications, among which Internet Explorer and Windows Media Player. Applications developed by other companies, including antivirus software and media players, are also said to be affected.
Redmond has already confirmed the flaw, but the company is yet to provide a fix that would keep users secure. It has, however, mentioned that computers running Extended Protection for Authentication are fully protected.
As a general word of advice for end users, it’s better to avoid clicking suspicious links coming from unknown sources, at least until Microsoft patches the flaw. Running up-to-date antivirus software could also help, but just like Microsoft says, this flaw cannot be exploited without the user knowingly clicking a link, so if you keep yourself on the safe side, there’s no chance to get exploited.
Windows XP users, beware! Microsoft won’t release a patch for this particular operating system, so if you’re still running it, your PC has just become vulnerable forever.
Update: Microsoft has provided a statement to confirm the flaw, but also to downplay its severity, saying that users are solely responsible for their online protection against this issue.