Skip to main content

Windows Flaw

Microsoft downplays new report of Windows flaw

Researchers say a new variation on an old flaw could allow hackers to steal log-in credentials from users of every version of Windows. Microsoft doesn't seem too worried.
A look at how "Redirect to SMB" could work in one attack method.
Security research firm Cylance says it's found a vulnerability in Windows that could let hackers steal user names and passwords, but Microsoft isn't so sure it's worth focusing on.
Any Windows PC, tablet or server running Windows 8.1 or earlier -- and even devices running the as-yet-released Windows 10 -- is subject to a vulnerability Cylance reported on its blog on Monday. The company, which dubbed the attack "Redirect to SMB," says the vulnerability relates to a similar flaw first discovered in Windows in 1997 by researcher Aaron Spangler that caused Windows to automatically provide a user's Windows username and password to what it thought was a server. Cylance says the issue was never patched by Microsoft.
At the heart of the new attack is SMB, or server message block. SMB is a protocol that allows for file sharing over a network. In Windows, SMB is often used by companies to share files from a server across an entire company network.
According to Cylance, a "Redirect to SMB" attack requires that a victim either input a URL with the word "file://" followed by a URL or click on a malicious link. Because of the flaw, Windows assumes the image link is an attempt by the user to gain access to a file on a server and automatically provides the user's credentials.
Once hackers obtain the credentials, they'll find that the passwords are encrypted. However, Cylance says that a person who has a higher-end graphics processing unit "could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day."
There's debate, however, over whether the flaw is as serious as Cylance argues. This issue has been known for several years and Microsoft provided guidance on how to protect oneself from the feature in 2009 in two separate security advisories.
On Monday, Microsoft downplayed the Cylance "discovery" saying that it wasn't new at all and the chances of falling victim to the attack are slim.
"We don't agree with Cylance's claims of a new attack type. Cybercriminals continue to be engaged in a number of nefarious tactics," a Microsoft spokesperson said. "However, several factors would need to come together for this type of cyberattack to work, such as success in luring a person to enter information into a fake website. We encourage people to avoid opening links in emails from senders that they don't recognize or visiting unsecure sites."
Cylance reported that it has discovered 31 programs that are vulnerable to the flaw, including Internet Explorer and Excel 2010. The company also discovered that Adobe Reader, Apple QuickTime and Symantec's Norton Security Scan can also fall victim to the attack. Carnegie Mellon University, which also outlined the flaw on Monday after discovering it for itself, said that most applications that go out on the Internet to check for software updates, for instance, are subject to the flaw.

Stay connected for more latest updates...

Comments

Post a Comment

Popular posts from this blog

Apple iPhone 8, iPhone X event: Live stream 

Apple’s iPhone X will mark the 10th anniversary edition of the smartphone, while iPhone 8 and iPhone 8 Plus will be seen as upgrades to the iPhone 7 series. So what time will the Apple event start, and how can one view the livestream? We answer all your questions below. Apple iPhone X event: Timing, how to watch live stream Apple’s September 12 event or the iPhone X event takes place at 10.00 AM Pacific Time (PDT) which is 10.30 PM IST in India. Apple will have a livestream for the event as always and this uses the company’s own HTTP Live Streaming (HLS) technology. Apple is launching this phone in the Steve Jobs Theater, in the new Apple Park Campus, which is also a first. Apple event time across world:  San Francisco: 10 AM, New York: 1 PM, London: 6PM, Berlin: 7 PM, Moscow: 8 PM, New Delhi: 10:30 PM, Beijing: 1 AM (September 13), Tokyo: 2 AM (September 13) / Sydney: 3 AM (September 13). Apple users should be able to watch the livestream on their  iOS  or MacOS device itsel
Post a Comment
Read more

Best Time

The best time to buy an Android phone is April The world of Android smartphones can often be chaotic and disorganized, but this year it seems to have settled on the month of April for the debut and availability of the widest range of attractive new devices. Six months after Google’s release of Android Marshmallow, all the hardware manufacturers are now ready to deliver a deluge of phones built around the latest version of the operating system. It’s already begun with handsets like the  Xiaomi Mi 5  and  Samsung Galaxy S7 Huawei’s  P9 flagship  and its dual-camera system are set to launch on April 6th, which is also when  Meizu will unveil its M3 Note . A week later, HTC will pull the curtain back on its 2016 flagship, expected to be called the  HTC 10 , and Oppo will join the fun at around the same with the international release of its  R9 and R9 Plus . Whether it’s the R9’s 16-megapixel selfie camera, the revival of HTC’s BoomSound, or the prospect of another Huawei smartphone wit
Post a Comment
Read more

Firefox

Firefox For Android Passes 100 Million Downloads In The Google Play Store Google's mobile version of Chrome has become the de facto standard browser for Android, but never let it be said that it's the only option. Mozilla Firefox, which  predates Chrome on both desktop platforms and Android , has been downloaded from the Play Store 100 million times. Mozilla decided to toast the occasion  on its official blog . Aside from the obvious user interface differences, the Android version of Firefox has gradually added compelling features like integration with synced Mozilla services (which are a godsend if you use the desktop browser as your primary web interface), extra user-accessible tools like a fullscreen switch, customized search engines, and add-ons that expand the base app's functionality. Though detailed download information isn't posted to the Play Store, it's probably second only to Chrome (and the original AOSP browser in markets like Chi
Post a Comment
Read more