1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

This revision of an unpatched vulnerability from 1997 affects every version of Windows

By Shawn Knight ยท 16 replies
Apr 13, 2015
Post New Reply
  1. windows microsoft zombie vulnerability flaw carnegie mellon cylance cert redirect so smb server message block

    Researchers at cyber security specialist Cylance in collaboration with CERT at Carnegie Mellon University have uncovered a zombie vulnerability that affects all versions of Windows, including the latest Windows 10 preview.

    The vulnerability is described as a zombie due to the fact that it’s based on an earlier, reported vulnerability. In this case, it’s an extension of a vulnerability discovered by Aaron Spangler way back in 1997 which still isn’t defended against by default.

    This new variant is being called Redirect to SMB (server message block). It’s essentially a way for hackers to hijack communications using man-in-the-middle attacks and force legitimate web servers to cough up login credentials including usernames and passwords.

    The team has identified 31 software packages that are vulnerable to Redirect to SMB, many of which are programs you may use on a regular basis including Adobe Reader, QuickTime, Norton Security Scan, Windows Media Player, Excel 2010 and Internet Explorer 11.

    Due to the advanced nature of the attack and the fact that the bad actor would need to have control over certain components, it’s most likely to be used in targeted attacks by skilled hackers.

    Without an official fix from Microsoft, Cylance said the easiest workaround is to simply block outbound traffic from TCP 139 and TCP 445 at either the endpoint firewall or at the network gateway’s firewall. Microsoft never resolved the original issue in 1997 but perhaps this new method will convince them to finally take care of it.

    Permalink to story.

  2. VitalyT

    VitalyT Russ-Puss Posts: 3,454   +1,733

    They wanted to call it Holes, and they wanted them to be large ones, but they didn't want that to give people the wrong ideas, so they decided to go for the square ones and called it Windows. All Copyrighted.
    Last edited: Apr 13, 2015
  3. Per Hansson

    Per Hansson TS Server Guru Posts: 1,946   +200

    It's always been puzzling to me how Microsoft coded Windows to try to login with the credentials of the logged on user when connecting to network shares, it's a big security issue no matter what.
    Darth Shiv likes this.
  4. "...the easiest workaround is to simply block outbound traffic from TCP 139 and TCP 445..."

    or don't use Windows.
  5. Squid Surprise

    Squid Surprise TS Evangelist Posts: 1,314   +537

    The problem is... fixing this vulnerability is not so easy.... otherwise they would have done it... closing this "hole" means a lot of stuff won't work... Since it takes a skilled hacker to utilize this vulnerability, and I suspect hasn't been used too often... Microsoft has probably just ignored it....
  6. Peter Farkas

    Peter Farkas TS Addict Posts: 251   +79

    They can't ignore such a vulnerability. Especially when it is well known...
  7. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,762   +435

    Yes on a domain it makes sense - AD is the trusted verifier for both parties etc but for workgroups, it's a crazy security risk.

    As you say, there should be a prompt on what credentials to try before doing anything.
  8. ETF Soldier

    ETF Soldier TS Evangelist Posts: 438   +112

    I don't understand why people publish/ announce security breaches, does it not give hackers new ideas? Does announcing it publicly create social pressure for a fix that wouldn't work if they went directly to the company?
  9. Squid Surprise

    Squid Surprise TS Evangelist Posts: 1,314   +537

    Apparently they have... for 18 years...

    "Officially" - companies are more likely to fix something only if it is brought into the public eye - "fixes" cost money, manpower, and reputation.... Prime example is a car company only recalling a part after a few accidents....

    In the "hacking world", it also serves to bring notoriety to the person/group who reveals the vulnerability...
    Last edited by a moderator: Apr 14, 2015
  10. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,160   +829

    For 95.X% of users that is not easy.
    Jamesbrah likes this.
  11. jobeard

    jobeard TS Ambassador Posts: 10,432   +801

    The DEFAULT Windows firewall already implements the proper solution;
    • never accept ports 139,445 from any ip other than the local LAN
    Who in their right mind would do otherwise???
    Kibaruk likes this.
  12. Per Hansson

    Per Hansson TS Server Guru Posts: 1,946   +200

    Does not matter for outbound connections which this vulnerability is about.
  13. jobeard

    jobeard TS Ambassador Posts: 10,432   +801

    For privacy, but for virus/trojan injections, the input path is a vector too.
    For outputs, the default fw is easily tweeked :)
  14. Per Hansson

    Per Hansson TS Server Guru Posts: 1,946   +200

    It does not matter, this issue has existed forever (18 years) and no single normal user will have any idea how to fix this, the defaults by Microsoft even in the latest build of Windows 10 allow outgoing SMB traffic to any address, with authentication as the logged on user always attempted.
    Infact I don't even think there is any possibility of changing so it does not try authentication.
    It just so clearly shows how Microsoft does not understand security.
    At my previous company a colleague used this vulnerability years ago to steal my credentials, fun in that case, might not be so fun if it's not someone you trust!

    And indeed when I went to Dreamhack, what might it be now, 10 years ago, damn I'm feeling old, we used sniffers for this in the network too, great fun with thousands of computers in the same local network...
  15. jobeard

    jobeard TS Ambassador Posts: 10,432   +801

    • firewall rule: but requires another rule to allow ip address local_lan/24
    • outbound
    • local ports 137 udp
    • local ports 445 tcp
    • destination IP address any
    • application all
    • action deny
  16. Fixing a hole is a real problem for them but it's not a problem at all to destroy well known OS UI (I'm looking at you, Windows 8/8.1, metro panel) in sake of change needed to sell the same product once again.
  17. Per Hansson

    Per Hansson TS Server Guru Posts: 1,946   +200

    @jobeard perhaps I was unclear, I meant for normal users it would be really hard to implement the necessary firewall rules (as you showed).
    And that as far as I know there is no way in Windows to disable the authentication attempt that is made using the logged on users credentials, so the firewall would be the only "solution".
    jobeard likes this.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...