Microsoft downplays new report of Windows flaw

Researchers say a new variation on an old flaw could allow hackers to steal log-in credentials from users of every version of Windows. Microsoft doesn't seem too worried.

Don Reisinger
Don Reisinger

Former CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.

2 min read

A look at how "Redirect to SMB" could work in one attack method. Cylance

Security research firm Cylance says it's found a vulnerability in Windows that could let hackers steal user names and passwords, but Microsoft isn't so sure it's worth focusing on.

Any Windows PC, tablet or server running Windows 8.1 or earlier -- and even devices running the as-yet-released Windows 10 -- is subject to a vulnerability Cylance reported on its blog on Monday. The company, which dubbed the attack "Redirect to SMB," says the vulnerability relates to a similar flaw first discovered in Windows in 1997 by researcher Aaron Spangler that caused Windows to automatically provide a user's Windows username and password to what it thought was a server. Cylance says the issue was never patched by Microsoft.

At the heart of the new attack is SMB, or server message block. SMB is a protocol that allows for file sharing over a network. In Windows, SMB is often used by companies to share files from a server across an entire company network.

According to Cylance, a "Redirect to SMB" attack requires that a victim either input a URL with the word "file://" followed by a URL or click on a malicious link. Because of the flaw, Windows assumes the image link is an attempt by the user to gain access to a file on a server and automatically provides the user's credentials.

Once hackers obtain the credentials, they'll find that the passwords are encrypted. However, Cylance says that a person who has a higher-end graphics processing unit "could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day."

There's debate, however, over whether the flaw is as serious as Cylance argues. This issue has been known for several years and Microsoft provided guidance on how to protect oneself from the feature in 2009 in two separate security advisories.

On Monday, Microsoft downplayed the Cylance "discovery" saying that it wasn't new at all and the chances of falling victim to the attack are slim.

"We don't agree with Cylance's claims of a new attack type. Cybercriminals continue to be engaged in a number of nefarious tactics," a Microsoft spokesperson said. "However, several factors would need to come together for this type of cyberattack to work, such as success in luring a person to enter information into a fake website. We encourage people to avoid opening links in emails from senders that they don't recognize or visiting unsecure sites."

Cylance reported that it has discovered 31 programs that are vulnerable to the flaw, including Internet Explorer and Excel 2010. The company also discovered that Adobe Reader, Apple QuickTime and Symantec's Norton Security Scan can also fall victim to the attack. Carnegie Mellon University, which also outlined the flaw on Monday after discovering it for itself, said that most applications that go out on the Internet to check for software updates, for instance, are subject to the flaw.