Internet Explorer, Windows Media Player, Excel, QuickTime, AVG, BitDefender, and Comodo Antivirus also vulnerable

Aug 10, 2015 12:25 GMT  ·  By

At the Black Hat USA 2015 conference in Las Vegas, a team of security experts led by Jonathan Brossard have presented a vulnerability in the Microsoft Server Message Block (SMB) protocol used for sharing files in local networks.

The vulnerability affects all version of Windows, including the newer Windows 10, and can be exploited via the Internet, something researchers thought as impossible.

SMB is a 21-years-old protocol created by IBM, which allows for sharing files and printers inside a network. Since its creation, it has evolved and reached version 3.0, which now ships with most Windows OS instances.

The protocol is used most of the times in enterprise networks, working together with the NTLMv2 authentication algorithm, which allows users to quickly authenticate themselves on Windows servers.

A faulty DLL is at the core of the problem

The vulnerability discovered by Mr. Brossard's team allows hackers to extract user credentials from a closed Windows domain using an attack technique called SMB relay (a basic man-in-the-middle for SMB data).

While this technique usually worked only in LANs, because most enterprise networks have now expanded to include cloud infrastructures, an SMB relay can now be performed for Internet-facing connections as well.

The credentials leak happens when a user is trying to read an email, access a Web page using their browser or do anything that implies opening a URL.

This opens a specific DLL file put into place to protect against SMB relay attacks, but its content and subsequent settings are ignored, as the security experts have found out.

This allows an attacker to perform an SMB relay attack, get the user's credentials, break the password hash, and then use them to steal information from the network by passing as a regular user.

This is the first vulnerability ever reported to affect the Edge browser

As Mr. Brossard notes, all IE versions are vulnerable, including Microsoft's latest Edge browser, making this "the first attack against Windows 10 and its web browser Spartan."

Additionally, other vulnerable applications include Windows Media Player, Adobe Reader, Apple QuickTime, Excel 2010, Symantec's Norton Security Scan, AVG Free, Bitdefender Free Edition, Comodo Antivirus, IntelliJ IDEA, Box Sync, GitHub for Windows, TeamViewer, and many other more.

The research paper was written before the Windows 10 launch, and obviously before Spartan was renamed to Edge.

The research also includes different mitigation techniques, but according to Mr. Brossard, the most efficient one would be to set up custom PC-level Windows Firewall settings, preventing SMB data from leaking online via specific ports, where an SMB relay can be carried out.

"Since virtually any Windows machine part of a corporate network uses IE as a default web browser and is typically part of an Active Directory network, the magnitude of this vulnerability is unprecedented," says Mr. Brossard.