One attack that floated out of the surface a few days ago on April 13, 2015 is called Redirect to SMB, a new technique for stealing login credentials from any devices that runs on any versions of Windows, including the previews of yet-to-be-released Windows 10 operating systems.
Table of Contents
Why it’s a 18-year-old vulnerability?
Well, that’s because the attack is built on a vulnerability discovered in 1997 that supplying URLs beginning with the word “file” to Internet Explorer would cause the operating system to attempt to authenticate with a SMB server at the address 126.96.36.199.
How it attacks?
The attack is called Redirect to SMB because it stands in the middle of the communication between victims and legitimate web servers redirecting the requests to the malicious SMB servers to obtain victims authentication information without authorization.
Here is how it works in 4 steps:
- Application attempts to check for an update at legitimate web server.
- The middle man redirects the request to his own HTTP server.
- The fake HTTP server responds with status code 302 to redirect the web client.
- Victim connects to attacker’s SMB server and authenticates without any prompt.
What’s the impact?
Most likely, Redirect to SMB is to be used in targeted attacks by advanced attacker because they must have control over some component of a victim’s network traffic.
Also note that even though the passwords over SMB are encrypted they are encrypted in a less advanced encryption method that is considered week in today’s standard.
What versions of Windows are affected?
Unfortunately, all of them. On top of that, some of Microsoft applications are also vulnerable, including IE, Windows Media Player, Excel 2010, and Microsoft Baseline Security Analyzer.
What 3rd party applications are affected?
A lot, including many security software.
- Apple QuickTime
- Apple iTunes Software Update
- Symantec Norton Security Scan
- AVG Free
- BitDefender Free
- Comodo Antivirus
- Adobe Reader
- Box Sync
Has it been patched?
Unfortunately, not yet
What to do to protect when not patched?
If you are behind a firewall, you can block outbound traffic from TCP 139 and 445 on the firewall.
But if you aren’t, or you are using a laptop in a public WiFi, make sure block the same TCP ports in Windows Firewall.
If you are interested in a more detailed technical information, download the White Paper.