Skip to main content

Windows Flaw

Microsoft downplays new report of Windows flaw

Researchers say a new variation on an old flaw could allow hackers to steal log-in credentials from users of every version of Windows. Microsoft doesn't seem too worried.
A look at how "Redirect to SMB" could work in one attack method.
Security research firm Cylance says it's found a vulnerability in Windows that could let hackers steal user names and passwords, but Microsoft isn't so sure it's worth focusing on.
Any Windows PC, tablet or server running Windows 8.1 or earlier -- and even devices running the as-yet-released Windows 10 -- is subject to a vulnerability Cylance reported on its blog on Monday. The company, which dubbed the attack "Redirect to SMB," says the vulnerability relates to a similar flaw first discovered in Windows in 1997 by researcher Aaron Spangler that caused Windows to automatically provide a user's Windows username and password to what it thought was a server. Cylance says the issue was never patched by Microsoft.
At the heart of the new attack is SMB, or server message block. SMB is a protocol that allows for file sharing over a network. In Windows, SMB is often used by companies to share files from a server across an entire company network.
According to Cylance, a "Redirect to SMB" attack requires that a victim either input a URL with the word "file://" followed by a URL or click on a malicious link. Because of the flaw, Windows assumes the image link is an attempt by the user to gain access to a file on a server and automatically provides the user's credentials.
Once hackers obtain the credentials, they'll find that the passwords are encrypted. However, Cylance says that a person who has a higher-end graphics processing unit "could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day."
There's debate, however, over whether the flaw is as serious as Cylance argues. This issue has been known for several years and Microsoft provided guidance on how to protect oneself from the feature in 2009 in two separate security advisories.
On Monday, Microsoft downplayed the Cylance "discovery" saying that it wasn't new at all and the chances of falling victim to the attack are slim.
"We don't agree with Cylance's claims of a new attack type. Cybercriminals continue to be engaged in a number of nefarious tactics," a Microsoft spokesperson said. "However, several factors would need to come together for this type of cyberattack to work, such as success in luring a person to enter information into a fake website. We encourage people to avoid opening links in emails from senders that they don't recognize or visiting unsecure sites."
Cylance reported that it has discovered 31 programs that are vulnerable to the flaw, including Internet Explorer and Excel 2010. The company also discovered that Adobe Reader, Apple QuickTime and Symantec's Norton Security Scan can also fall victim to the attack. Carnegie Mellon University, which also outlined the flaw on Monday after discovering it for itself, said that most applications that go out on the Internet to check for software updates, for instance, are subject to the flaw.

Stay connected for more latest updates...

Comments

Post a Comment

Popular posts from this blog

Voice Calling Test

Which voice calling app uses the most data per minute? We tested the top 10 Free voice call apps, which use data to place calls, can offer a cheaper way to keep in contact with friends abroad and come to the rescue when you’ve used up your monthly minute quota. However, with multi-gigabyte data plans still often coming at a premium price, the busiest chatters out there could soon eat into their monthly allowance using voice over data calls. To shed some light on the issue, we’ve gone back over our list of  10 free call apps  to investigate just how much data these apps end up consuming. In the list you’ll find popular apps such as Hangouts, Skype, WhatApp and Viber, as well as regional favourites including Line and Nimbuzz. The test method For our test, we subjected each of these 10 apps to three separate one minute calls and recorded the amount of data used by the app after each call. These three totals were then averaged together to produce the result. Bo...
Post a Comment
Read more

Nexus

Huawei and Google reportedly releasing a Nexus phone this fall This year, we may see a first for Google’s line of Nexus Android phones: a Chinese manufacturer.  The Information  reports that Huawei is in line to produce the device, which is said to be planned for fall. It’s not the first we’ve heard of the possibility; IBT said last month that the Huawei Nexus phone was coming, citing an employee at the company’s UK branch, while  Android Police  published a tentative rumor in May suggesting that there would be two Nexus phones this year — a 5.7-inch Huawei device and a 5.2-inch phone from LG. The relationship between Google and Huawei could be mutually beneficial beyond the phone’s co-development.  The Information  claims that talks are in progress for Huawei to help Google bring a mobile app store to China, where government regulations have restricted the search giant from conducting much business of note. HUAWEI COULD HEL...
Post a Comment
Read more

Spartan Vs. Rest!!

Spartan For many, it’s not exactly a confidence booster that Microsoft’s forthcoming new browser will be a “Windows App,” rather than a traditional desktop application. It sports the characteristic borderless frames and blockily minimalist aesthetic, and the overall impression is of a stripped-down, simplified version of IE, according to an initial appreciation by Network World’s Howard Wen. ( "First Look: Microsoft's new Spartan browser for Windows 10" ) But, in a lot of ways, that’s probably a good thing – Chrome’s got a very similar look and feel, and it’s doing pretty well for itself. Spartan appears as a Windows app Chrome So what about the browser Spartan’s trying to knock off of its perch? Chrome’s still got major advantages over the rest of the field, including a perceived performance edge, simple and elegant design, and tight integration with Google’s wildly popular web services like Gmail. Simplicity is key for Chrome For the moment, those features...
Post a Comment
Read more