Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Live Account Credentials Leaking From Windows 8 And Above (hackaday.com)

Posted by msmash on from the security-blues dept.

An anonymous reader writes: Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user's Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account). The bug itself seems to be present in all Windows systems since Windows 95 / NT, although only Windows 8 and above are effectively compromised. To see if your machine is affected, you may want to check the public demonstration of the exploit, set up by the guys from [Perfect Privacy] and based on [VladikSS] original work. Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user's Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker's network share.

5 of 55 comments (clear)

  1. Re:Is this news? by Kiaser+Zohsay · · Score: 4, Informative

    If we had an article for every security vulnerability/backdoor found in a Microsoft product, it'd be impossible to find anything else on Slashdot.

    What's newsworthy in this case is that the vulnerability remains unpatched since 1997. That is older than some of my kids. That's almost old enough to drink.

    --
    I am not your blowing wind, I am the lightning.
  2. Re:So... by Anonymous Coward · · Score: 3, Informative

    Have not had a chance to confirm, but from looking at the wireshark SS I would infer blocking outbound 137-139 and 445 should work. However, if you have a webdav (or w/e MS calls it these days) plugin enabled that may be another vector in which this could be used.

  3. That's the problem. It's internet, Windows thinks by raymorris · · Score: 3, Informative

    It can be over the internet.

    Confusion between the local network and the internet is the source of the problem. Windows is supposed to automatically log in to LOCAL shares. Instead it will automatically log in to shares anywhere on the internet, when it sees a link to a share.

  4. Re:That's the problem. It's internet, Windows thin by AmiMoJo · · Score: 2, Informative

    The critical thing that isn't getting enough attention here is that it requires IE to work. If you visit the test site in Chrome or Firefox it tells you to come back in IE. So it's not nearly as bad as it first appears.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Re:This just adds to that feeling of anger I have by jonwil · · Score: 3, Informative

    Its "login consolidation" (specifically the move with Windows 8 and 10 to use your Live/Hotmail/Outlook/Microsoft/etc login as your desktop login) that is the cause of this bug in the first place.

    Thankfully I am on Windows 7 (and would use a local login rather than a cloud login in any case even on Windows 10) so this issue doesn't affect me. (no domains, VPNs or anything else involved either, its just a local login for my desktop)