Adding to the news in today's Verizon report that a 1999 exploit was one of last year's top 10 CVEs – which jointly accounted for almost 97 percent of the exploits observed, Brian Wallace, senior researcher/software engineer SPEAR Team at security vendor Cylance reports how another late 1990s vulnerability can still be exploited.
On his blog, Wallace comments: “We've uncovered a new technique for stealing sensitive login credentials from any Windows PC, tablet or server, including ones running previews of the yet-to-be-released Windows 10 operating system. Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability, which we have dubbed Redirect to SMB.”
The announcement follows six weeks working with vendors to overcome the problem and the issuing of a security advisory.
A white paper has been issued explaining the exploit, but essentially, attackers are able to steal user-credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers using susceptible applications and services that transmit data over HTTP or HTTPS, forcing them to provide the victim's username, domain and hashed password. However, Wallace does note that an attacker needs to be on the same network as a victim and that an attack can be blocked by stopping outbound traffic on TCP ports 139 and 445. UK magazine Computerworld quotes a Microsoft spokesperson as saying that its earlier usage guidance prevents this exploit.