Redirect to SMB Vulnerability: 18-Year-Old Flaw Morphs Into Huge Threat to Windows Machines

April 15, 2015 @ 4:43 PM
| |
2 min read

Some of the deadliest security threats have only emerged over the past few years, but experts say cybercriminals may be able to exploit a so-called SMB vulnerability that has been around for nearly two decades to hijack Windows machines.

Researchers at security firm Cylance published a blog reporting the problem, which is associated with a redirect in the Server Message Block (SMB) common to nearly all Microsoft Windows-based systems. The SMB vulnerability is essentially a way to dupe potential victims into passing on login credentials to third-party servers, and it builds upon a discovery by Microsoft’s Aaron Spengler in 1997 that URLs beginning with “file” could be compromised. In this case, however, cybercriminals can also take aim at HTTP or HTTPS requests to recover usernames and passwords.

A story on Threatpost suggested initial phishing schemes to use URLs in this way could be followed up by even more comprehensive attacks to take over an entire system. In that case, the specific victims might not be the average computer users in a company but rather people working in areas of the IT department who have administrative control over mission-critical parts of the organization.

The scope of this threat is not limited to the Windows operating system. It also extends to a host of commonly used applications, including enterprise software from Oracle, Box, Adobe and Apple, CSO Online reported. Attacks might also take several forms beyond clicking on a URL, including the use of chat apps, which was how the Cylance researchers originally stumbled upon the SMB vulnerability. With that said, cybercriminals would need to monitor an organization carefully and wait for a user to make an SMB connection to potentially start to steal any data.

In fact, Microsoft attempted to reassure users in an email statement that was reprinted by ZDNet and others, suggesting it already has tools within its core products that would help prevent the type of man-in-the-middle attacks based on the SMB vulnerability. On the other hand, the U.S. Computer Emergency Readiness Team felt it necessary to issue an advisory to raise awareness about the problem, and so far, few details have been released about forthcoming patches or workarounds from Microsoft.

EnterpriseTech suggested IT departments should focus on Port TCP 139 and 145 and prohibit the ability for traffic to be readily accessible to the outside world. Otherwise, advanced cybercriminals might not need much time to do damage, either through app updates, file sharing or just sending documents to a printer. Even if it’s a difficult hack to pull off, the SMB vulnerability is prevalent enough to become a top priority for chief security officers in the months to come.

Shane Schick
Writer & Editor
Shane Schick is a contributor for SecurityIntelligence.