New man-in-the-middle attack Windows uncovered




Security researchers have described a new attack for an old vulnerability in Windows that malicious data traffic can pass on to their own systems to as logins and passwords booty.

The researchers have the vulnerability Redirect to SMB baptized and this has its origins in a vulnerability that was discovered in 1997 but was never filled. If Internet Explorer was served a url with the word “file” as file: //, Windows tried to connect and authenticate to an SMB server, as in the example with IP address Researchers found here a new attack for which works with all versions of Windows.

Attackers can intercept HTTP requests and HTTP redirect to use traffic systems locks to malicious SMB servers. Many programs handle HTTP redirects on the background. If the redirect url with “file: //” – type, Windows will automatically proceed to the SMB authentication server and present the user’s credentials. The attacker can intercept the login names and passwords and encryption undo example via a brute-force attack.

Attackers have a target so not through the browser to an SMB server aand but to wait for the automated HTTP requests from applications in the background, in order to obtain significantly faster and secretly smb logs with personal login information. “We have identified four popular Windows API functions that allow redirects from http or https to smb” writes security office Cylance that the attack method discovered. “Tests show that many software functionality like updaters and usage reporting -tools, using API functions.”

Cylance found that the method works with many software, including Adobe Reader, Apple QuickTime, Apple Software Update, Internet Explorer, Windows Media Player, Excel 2010, Symantec’s Norton Security Scan, AVG Free, TeamViewer and Github for Windows.

The probability of large-scale abuse is limited but targeted attacks by sophisticated attackers via malicious advertisements and through example, open Wi-Fi networks eight Cylance possible. Microsoft has not closed the vulnerability. In the meantime, users can connect to the TCP ports 139 and 445 for SMB traffic.


In: Technology & Gadgets Asked By: [15575 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »