Skip to main content

Windows Flaw

Microsoft downplays new report of Windows flaw

Researchers say a new variation on an old flaw could allow hackers to steal log-in credentials from users of every version of Windows. Microsoft doesn't seem too worried.
A look at how "Redirect to SMB" could work in one attack method.
Security research firm Cylance says it's found a vulnerability in Windows that could let hackers steal user names and passwords, but Microsoft isn't so sure it's worth focusing on.
Any Windows PC, tablet or server running Windows 8.1 or earlier -- and even devices running the as-yet-released Windows 10 -- is subject to a vulnerability Cylance reported on its blog on Monday. The company, which dubbed the attack "Redirect to SMB," says the vulnerability relates to a similar flaw first discovered in Windows in 1997 by researcher Aaron Spangler that caused Windows to automatically provide a user's Windows username and password to what it thought was a server. Cylance says the issue was never patched by Microsoft.
At the heart of the new attack is SMB, or server message block. SMB is a protocol that allows for file sharing over a network. In Windows, SMB is often used by companies to share files from a server across an entire company network.
According to Cylance, a "Redirect to SMB" attack requires that a victim either input a URL with the word "file://" followed by a URL or click on a malicious link. Because of the flaw, Windows assumes the image link is an attempt by the user to gain access to a file on a server and automatically provides the user's credentials.
Once hackers obtain the credentials, they'll find that the passwords are encrypted. However, Cylance says that a person who has a higher-end graphics processing unit "could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day."
There's debate, however, over whether the flaw is as serious as Cylance argues. This issue has been known for several years and Microsoft provided guidance on how to protect oneself from the feature in 2009 in two separate security advisories.
On Monday, Microsoft downplayed the Cylance "discovery" saying that it wasn't new at all and the chances of falling victim to the attack are slim.
"We don't agree with Cylance's claims of a new attack type. Cybercriminals continue to be engaged in a number of nefarious tactics," a Microsoft spokesperson said. "However, several factors would need to come together for this type of cyberattack to work, such as success in luring a person to enter information into a fake website. We encourage people to avoid opening links in emails from senders that they don't recognize or visiting unsecure sites."
Cylance reported that it has discovered 31 programs that are vulnerable to the flaw, including Internet Explorer and Excel 2010. The company also discovered that Adobe Reader, Apple QuickTime and Symantec's Norton Security Scan can also fall victim to the attack. Carnegie Mellon University, which also outlined the flaw on Monday after discovering it for itself, said that most applications that go out on the Internet to check for software updates, for instance, are subject to the flaw.

Stay connected for more latest updates...

Comments

Popular posts from this blog

Voice Calling Test

Which voice calling app uses the most data per minute? We tested the top 10 Free voice call apps, which use data to place calls, can offer a cheaper way to keep in contact with friends abroad and come to the rescue when you’ve used up your monthly minute quota. However, with multi-gigabyte data plans still often coming at a premium price, the busiest chatters out there could soon eat into their monthly allowance using voice over data calls. To shed some light on the issue, we’ve gone back over our list of  10 free call apps  to investigate just how much data these apps end up consuming. In the list you’ll find popular apps such as Hangouts, Skype, WhatApp and Viber, as well as regional favourites including Line and Nimbuzz. The test method For our test, we subjected each of these 10 apps to three separate one minute calls and recorded the amount of data used by the app after each call. These three totals were then averaged together to produce the result. Bo...

Microsoft Aims To Kill Google Chromebooks

Microsoft Aims To Kill Google Chromebooks With $149 Windows 10 Laptops Despite a lacklustre start, Chromebooks are becoming relatively popular in the super-budget end of the portable market. This has worried Microsoft for some time. After all, with a Google-centric experience, not to mention an operating system in the form of Chrome OS, there’s little if anything to be gained here by Microsoft and everything to lose. That’s why it’s targeting the Chromebook specifically, with a most likely Windows 10-based  $149 laptop. They’re no MacBook killers and don’t expect them to play GTA V, though  (when it finally makes a PC appearance that is). According to tech rumour site www.Digitimes.com , these laptops are geared primarily towards emerging markets, education and the super-low end market, which includes users whose tasks are limited to web browsing, word processing and social media use. The Chromebook has gained traction in quite a few areas and Micros...

Spartan Vs. Rest!!

Spartan For many, it’s not exactly a confidence booster that Microsoft’s forthcoming new browser will be a “Windows App,” rather than a traditional desktop application. It sports the characteristic borderless frames and blockily minimalist aesthetic, and the overall impression is of a stripped-down, simplified version of IE, according to an initial appreciation by Network World’s Howard Wen. ( "First Look: Microsoft's new Spartan browser for Windows 10" ) But, in a lot of ways, that’s probably a good thing – Chrome’s got a very similar look and feel, and it’s doing pretty well for itself. Spartan appears as a Windows app Chrome So what about the browser Spartan’s trying to knock off of its perch? Chrome’s still got major advantages over the rest of the field, including a perceived performance edge, simple and elegant design, and tight integration with Google’s wildly popular web services like Gmail. Simplicity is key for Chrome For the moment, those features...