This revision of an unpatched vulnerability from 1997 affects every version of Windows

Shawn Knight

Posts: 15,256   +192
Staff member

windows microsoft zombie vulnerability flaw carnegie mellon cylance cert redirect so smb server message block

Researchers at cyber security specialist Cylance in collaboration with CERT at Carnegie Mellon University have uncovered a zombie vulnerability that affects all versions of Windows, including the latest Windows 10 preview.

The vulnerability is described as a zombie due to the fact that it’s based on an earlier, reported vulnerability. In this case, it’s an extension of a vulnerability discovered by Aaron Spangler way back in 1997 which still isn’t defended against by default.

This new variant is being called Redirect to SMB (server message block). It’s essentially a way for hackers to hijack communications using man-in-the-middle attacks and force legitimate web servers to cough up login credentials including usernames and passwords.

The team has identified 31 software packages that are vulnerable to Redirect to SMB, many of which are programs you may use on a regular basis including Adobe Reader, QuickTime, Norton Security Scan, Windows Media Player, Excel 2010 and Internet Explorer 11.

Due to the advanced nature of the attack and the fact that the bad actor would need to have control over certain components, it’s most likely to be used in targeted attacks by skilled hackers.

Without an official fix from Microsoft, Cylance said the easiest workaround is to simply block outbound traffic from TCP 139 and TCP 445 at either the endpoint firewall or at the network gateway’s firewall. Microsoft never resolved the original issue in 1997 but perhaps this new method will convince them to finally take care of it.

Permalink to story.

 
They wanted to call it Holes, and they wanted them to be large ones, but they didn't want that to give people the wrong ideas, so they decided to go for the square ones and called it Windows. All Copyrighted.
 
Last edited:
It's always been puzzling to me how Microsoft coded Windows to try to login with the credentials of the logged on user when connecting to network shares, it's a big security issue no matter what.
 
"...the easiest workaround is to simply block outbound traffic from TCP 139 and TCP 445..."

or don't use Windows.
 
The problem is... fixing this vulnerability is not so easy.... otherwise they would have done it... closing this "hole" means a lot of stuff won't work... Since it takes a skilled hacker to utilize this vulnerability, and I suspect hasn't been used too often... Microsoft has probably just ignored it....
 
The problem is... fixing this vulnerability is not so easy.... otherwise they would have done it... closing this "hole" means a lot of stuff won't work... Since it takes a skilled hacker to utilize this vulnerability, and I suspect hasn't been used too often... Microsoft has probably just ignored it....
They can't ignore such a vulnerability. Especially when it is well known...
 
It's always been puzzling to me how Microsoft coded Windows to try to login with the credentials of the logged on user when connecting to network shares, it's a big security issue no matter what.
Yes on a domain it makes sense - AD is the trusted verifier for both parties etc but for workgroups, it's a crazy security risk.

As you say, there should be a prompt on what credentials to try before doing anything.
 
I don't understand why people publish/ announce security breaches, does it not give hackers new ideas? Does announcing it publicly create social pressure for a fix that wouldn't work if they went directly to the company?
 
The problem is... fixing this vulnerability is not so easy.... otherwise they would have done it... closing this "hole" means a lot of stuff won't work... Since it takes a skilled hacker to utilize this vulnerability, and I suspect hasn't been used too often... Microsoft has probably just ignored it....
They can't ignore such a vulnerability. Especially when it is well known...


Apparently they have... for 18 years...

I don't understand why people publish/ announce security breaches, does it not give hackers new ideas? Does announcing it publicly create social pressure for a fix that wouldn't work if they went directly to the company?

"Officially" - companies are more likely to fix something only if it is brought into the public eye - "fixes" cost money, manpower, and reputation.... Prime example is a car company only recalling a part after a few accidents....

In the "hacking world", it also serves to bring notoriety to the person/group who reveals the vulnerability...
 
Last edited by a moderator:
The DEFAULT Windows firewall already implements the proper solution;
  • never accept ports 139,445 from any ip other than the local LAN
Who in their right mind would do otherwise???
 
The DEFAULT Windows firewall already implements the proper solution;
  • never accept ports 139,445 from any ip other than the local LAN
Who in their right mind would do otherwise???
Does not matter for outbound connections which this vulnerability is about.
 
For privacy, but for virus/trojan injections, the input path is a vector too.
For outputs, the default fw is easily tweeked :)
 
For privacy, but for virus/trojan injections, the input path is a vector too.
For outputs, the default fw is easily tweeked :)
It does not matter, this issue has existed forever (18 years) and no single normal user will have any idea how to fix this, the defaults by Microsoft even in the latest build of Windows 10 allow outgoing SMB traffic to any address, with authentication as the logged on user always attempted.
Infact I don't even think there is any possibility of changing so it does not try authentication.
It just so clearly shows how Microsoft does not understand security.
At my previous company a colleague used this vulnerability years ago to steal my credentials, fun in that case, might not be so fun if it's not someone you trust!

And indeed when I went to Dreamhack, what might it be now, 10 years ago, damn I'm feeling old, we used sniffers for this in the network too, great fun with thousands of computers in the same local network...
 
hmm:
  • firewall rule: but requires another rule to allow ip address local_lan/24
  • outbound
  • local ports 137 udp
  • local ports 445 tcp
  • destination IP address any
  • application all
  • action deny
 
Fixing a hole is a real problem for them but it's not a problem at all to destroy well known OS UI (I'm looking at you, Windows 8/8.1, metro panel) in sake of change needed to sell the same product once again.
 
@jobeard perhaps I was unclear, I meant for normal users it would be really hard to implement the necessary firewall rules (as you showed).
And that as far as I know there is no way in Windows to disable the authentication attempt that is made using the logged on users credentials, so the firewall would be the only "solution".
 
Back