Windows ‘Redirect to SMB’ exploit could affect millions, say security researchers

Security

A Windows vulnerability named “Redirect to SMB” has been discovered by researchers at security firm Cylance, which warned that, while it relies on social engineering to be effective, it could potentially affect millions of computers.

The exploit depends on encouraging a user to click a certain link in an email or on a website, at which point Redirect to SMB (Server Message Block) can hijack communications and copy login data, as the victim’s system will then be logged into a server controlled by the hackers.

Cylance has commented that the exploit is similar to one last seen in the 1990s, which took advantage of a Microsoft Internet Explorer weakness to make people sign into controlled servers.

As the exploit takes advantage of the Windows Server Message Block – an application layer network protocol in Windows that handles access to files, printers, and other communication ports and routines – Cylance believes that, theoretically, attackers could intercept automated log-on requests to remote servers issued by background applications on the Windows machine, and bend those requests to their own will.

However, this variation has so far only been created in Cylance’s labs.

Microsoft downplayed the urgency of the threat, commenting that “several factors would need to converge for a ‘man-in-the-middle’ cyber attack to occur”.

“Our guindance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature. There are also features in Windows, such as Extended Protection for Authentication, which enhances existing defences for handling network connection credentials.”

Cylance, however, does not agree, stating that the exploit is not protected, and offering the following advice:

“Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability. The simplest workaround is to block outbound traffic from TCP 139 and TCP 445 – either at the endpoint firewall or at the network gateway’s firewall (assuming you are on a trusted network). The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network.”

Via: Computing