Slashdot Mirror
Microsoft Live Account Credentials Leaking From Windows 8 And Above (hackaday.com)
An anonymous reader writes: Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user's Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account). The bug itself seems to be present in all Windows systems since Windows 95 / NT, although only Windows 8 and above are effectively compromised. To see if your machine is affected, you may want to check the public demonstration of the exploit, set up by the guys from [Perfect Privacy] and based on [VladikSS] original work. Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user's Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker's network share.
I always found it odd when accessing network shares between users with the same name and password that it never prompted me for one.
Windows IE sucks again!
In basic english, does it mean the attacker needs to be on the same internal network or are people open up to attack on the Internet as a whole?
one with no relation to any real accounts...
Come on!
If I block outbound CIFS/SMB connections at the firewall, this should solve the issue, correct?
My eyes reflect the stars and a smile lights up my face.
trying to navigate all of Microsoft's many convoluted username/password schemes.
For the love of all that is holy.. consolidate some of these logins, Microsoft!
If we had an article for every security vulnerability/backdoor found in a Microsoft product, it'd be impossible to find anything else on Slashdot.
What's newsworthy in this case is that the vulnerability remains unpatched since 1997. That is older than some of my kids. That's almost old enough to drink.
I am not your blowing wind, I am the lightning.
If we had an article for every security vulnerability/backdoor found in a Microsoft product, it'd be impossible to find anything else on Slashdot.
What's newsworthy in this case is that the vulnerability remains unpatched since 1997. That is older than some of my kids. That's almost old enough to drink.
That's not unprecedented either: http://www.bbc.com/news/techno...
And plenty old enough to drink in Europe ;)
It can be over the internet.
Confusion between the local network and the internet is the source of the problem. Windows is supposed to automatically log in to LOCAL shares. Instead it will automatically log in to shares anywhere on the internet, when it sees a link to a share.
The critical thing that isn't getting enough attention here is that it requires IE to work. If you visit the test site in Chrome or Firefox it tells you to come back in IE. So it's not nearly as bad as it first appears.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Mint live CD's Firefox shows many having expired in 2014, addons.mozilla.org 2011, yet haven't had any problems. They worth much?
Options/Advanced/Certs/servers.
-trax3001bbs
You mean that thing windows setup tried to trick me into creating so it could target ads at me and try to rent me cloud space?
(Per the results I saw with the testing tool.) That means they could get e.g. VPN or email credentials, too.
I'd prefer if it didn't do much distinction. One compromised device inside a local network shouldn't be enough to escalate it to control every device inside. If you trust devices on a basis "its in our network", then you are doing something wrong.
and the defaults are horrible.
To protect yourself, goto Internet Options -> Security Tab
"Custom level...." -> scroll to bottom, change "User Authentication - Logon" setting from "Automatic login only in Intranet zone" to "Prompt for user name and password".
Repeat for all four zones. Your Internet Explorer install will no longer leak password hashes.
Then do yourself a favor and use another browser for daily browsing.
That's almost old enough to drink.
And now you've made me feel old.
Time to offend someone
I'm not sure what's more pathetic here, the age of this Microsoft bug, or the fact that so many firewalls do NOT block the relevant outbound TCP ports by default.
Seems both are equally as culpable.
Well, it sure can drive you to drink...
The good (?) news is,
* Most consumer ISPs filter the ports necessary to make the exploit possible over the internet
* Most larger companies have at least one competent administrator who has enforced similar blocks
* Some SOHO routers will block this traffic in their default configuration
So the exploit is still critical, but thanks to network administrators and some hardware manufacturers, the footprint isn't nearly as large as it could be.
One reason I always use a local account on my PC's. This is the main problem having one sign in for all Microsoft services. Actually this is what is the problem with Apple, Google and any other ecosystem sign in.
Most companies let people reach out to wherever they want.
The vast majority of filtering/firewalling is done for the opposite direction - blocking shit coming in that doesn't already have an established connection.
I can see how this is one of those "it's not a bug, it's a feature" arguments.
Probably "unpatched" because some big customer of MS is using this "feature".
Though, why they wouldn't just determine the internal vs. external links by using site-and-services and/or IE zone profiles... I don't know.
My eyes reflect the stars and a smile lights up my face.
You just answered the question. Probably the same big company using the bug is probably the same one that has many internal sites marked as external sites for whatever reason.
here's an amusing video showing how simple it is to crack password hashes. teh NTLMv2 hash is only about 4 times slower than the hash he uses in the video.
Why was this modded down? It's absolutely correct.
They said Windows 8 or Windows 10 and Windows Live Login creds. are exposed. But its far more worse.
I tried the bug from Windows 7 (fully patched) while logged in to internal corp. network backed by Active Directory. Then I visited this website https://msleak.perfect-privacy.com and pressed the test button. After some seconds I saw:
- my internal username
- my domain
- my password hash
And, after 30 seconds, my (for testing purposes willful insecure) password. That is not THAT critical because an attacker must be inhouse to gain access to the network. Bat the credentials are also used for Office 356. And here we are busted. So my recommendation: if you don't have already set up 2-factor auth for Office 365, do it NOW.
Looks like they missed this in regression testing then
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Microsoft should make this an option and set its default to DO NOT CONNECT. That "big customer" can then use GPEto set their workstations to DO CONNECT and most of the world is safe. This is the problem with Microsoft's security stance: they never make the decisions based upon security. Instead, they decide defaults based upon the laziness of the user.
https://www.libreoffice.org/
http://portableapps.com/apps/office/libreoffice_portable
Home users all you will ever need is the libreoffice portable. Run it's self extracting package. After extraction there is just a folder. Put it wherever you want and create a shortcut to the executable on your desktop. It leaves your registry alone. If you want filetypes to be associated just associate them manually with Windows filetype association wizard.
Better than that is just use Linux. opensuse, arch linux, or mint from distrowatch.com are great.
Or you know.. go to any Starbucks, label your machine "free movies" or make a battery powered hotspot with a captive portal page that sends them to the cifs share and start collecting hashes.