Friday12 August 2022

SMB, Windows and the hole that has been open since 1997

Reading time is around minutes.

Over the weekend there was a lot of talk about how Windows in particular is vulnerable to a flaw that is linked to SMB. This flaw could allow someone to grab user information by forcing a redirect to a malicious server using the SMB protocol. The way it works is pretty simple; if you give someone a URL that begins with the work “file” then Windows (and some other systems) will think that you want to use SMB to connect to a file share. If the server that the link (URL) points to uses even basic authentication then you can try and tempt a user to put in their own credentials and grab them during the exchange.

Now this flaw (called redirect to SMB) has been in Windows since 1997 and is still present in the latest OS from Microsoft. It is just another of those things that has lingered in the Windows world because no one has complained loudly about it enough. Now that there are reports that the Sony hack was pulled off using this flaw Microsoft is stepping up and working on a patch. There is a pretty simple work around until that is ready. You can block TCP ports 139 and 445 on your firewall (if it supports that). These are both used by SMB so blocking these are the edge of your network (where it connects to the internet) will prevent someone using this to gain access from outside. You will still be able to use SMB internally if you need/want to.

But wait there is more. Although this flaw seems to be most commonly found in Windows it has also been reported in Apple’s updater for QuickTime and iTunes, the Box Sync client app for Box, TeamView and… a few anti-virus software applications. Norton Security Scan from Symantec, AVGFree, BitDefender Free and Comodo Antivirus all have the same flaw in them and a vulnerable to this. Having your malware protection open to something like this is not what you want to hear. There are more utilities, applications and even installers that are affected by this which makes it a very serious issues at this stage.

We are working on testing a few other applications to see if this exists outside the Windows world and will follow up when we know more. For now, we highly recommend you block SMB (TCP ports 139 and 445) at your firewall to prevent that innocent looking logon box from being what brings your network down. After all, how many people do you know that would type in their user names and passwords if Microsoft presented the little SMB logon box when they clicked on something? Personally I know a lot and that is a very frightening thing.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.