back to article Unpatched 18-year-old Windows man-in-the-middle diddle revived

Security boffin Brian Wallace has revived an 18-year-old Windows bug affecting at least 31 top vendors, which could allow an attacker to steal usernames and passwords from millions of Microsoft boxes. The respun vulnerability, dubbed Redirect to SMB, requires victims to visit or be pushed to a malicious server which could …

Silver badge
Holmes

We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers.

But surely a server is untrusted until authentication occurs? Isn't this part of reason why we have authentication?

Surely the problem is that Windows is sending a weak authentication token, rather than sending an authentication token at all?

5
2
Silver badge

It is possible to have trusted servers - either previously visited and authenticated (i.e. no automatic attempt to login a box could pop up saying that your device is trying to authenticate to an untrusted/unknown server) or using secure certificates similar to SSL with a whitelist trusted method.

0
0
Silver badge

I tend to disable SMB on the client side, if there's no critical need for using fileshares. It has always been a bit leaky and open to abuse.

2
1
Silver badge
Holmes

Who's fault is it?

I can't work out whether it's Microsoft's fault because SMB should have been given its own protocol (smb://...) instead of being bolted onto file: with the problems that brings (file: is local and has a different trust level to remote protocols) or it's Microsoft's fault because their MSHTML library accepts redirections from remote protocols to file: without complaining.

3
1
LDS
Silver badge

Re: Who's fault is it?

Using "smb:" instead of "file:" won't change anything, simply the malicious redirector would use the former instead of the latter. SMB, just like NFS, was designed to access files on shared resources, using the file interface - while with NFS usually you mount the share somewhere, in Windows you can "mount" to a letter (there are more sophisticated ways, anyway), or simply access it with the UNC syntax - which is what makes the trick work. The issue is that once SMB is requested to access a server, it could naively present user credentials in attempt to get access - if this works depends on how the Windows system is configured, which authentication is used, and which type of password hashes it is allowed to use. And especially, unless the rogue server is in your LAN, if SMB "out" is allowed by the firewall on an unsecure network. It may be a risk on standalone machine, because AFAIK int the default Windows FW SMB out is enabled with the only scope limitation "local subnet" - but in some environments (i.e. free wi-fi), the local subnet may span several machines outside your control...

4
0
Holmes

Typos in the first paragraph

As it stands now, there appears to be a misplaced "to" in the fist paragraph.

As the vulnerability report stands, wasn't this the same one that was reported last week? Quite possible that I read about it on the Reg...

0
0
Mushroom

Re: Typos in the first paragraph

The extra 'to' will stay there, it won't get fixed. As far as I can tell no typos or spelling errors that get reported get fixed. It doesn't matter if you post a correction in the comments or click the 'Tips and corrections' link. Perhaps Teh Reigster is trying to emulate the Grauniad.

1
2

This post has been deleted by its author

This post has been deleted by its author

Silver badge

@Spasticus Autisticus Re: Typos in the first paragraph

I've just had an email from a sub-editor and the typos have been fixed.

0
0

To be honest

I USED to be pro-Microsoft - not any more. The fact they are going to the cloud and forcing people to use this model and basically abandoning their on-premise customers is stupid. Once they are fully in the cloud, why is there any need to choose them over Amazon, Google, etc?

Furthermore, the number of bugs just keeps increasing as their crappy software gets patched to fix prior bugs. These supposed CU patches do not even fix the items they claim to fix. I have just had it with the hours wasted troubleshooting problems that are bugs.

While they have SOME good products, it is not enough to justify MS anymore. With Amazon desktop

coming out, those office users can used virtual desktops for Office, so there will be very little need soon to use Windows. Even those apps the require IE6 are doomed as the browser is no longer supported.

With Linux and Unix, things just work. Especially with Linux, if I find a bug, I can typically fix it. Now with Steam OS, and Office on the iPad, I expect one day we will see Office on Linux. This security item is just one more nail in the coffin.

Sorry for the rant…

2
1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017