Windows 10 has been out barely two weeks and already a vulnerability has been spotted, one that exists in every supported version of the operating system and its browsers that causes computers on an Active Directory domain to leak users’ credentials.
The problem was outlined at last week’s Black Hat security conference and detailed here. Briefly, the attack is called an SMB relay and causes a Windows computer on an Active Directory domain to leak the user’s credentials to an attacker when visiting a Web page, reading an email in Outlook or opening a video in Windows Media Player. The attacker then relays the credentials back to the server to authenticate as the user.
According to the report, knowledge of the possibility of an SMB relay attack dates back to 2001. But it was thought it only inside local networks. In fact, Internet Explorer has a user authentication option that is set by default to “automatic logon only in Intranet zone.” However, researchers at Black Hat said a problem Windows DLL file causes the option to be ignored.
The news report says Microsoft [Nasdaq: MSFT] is aware of the problem.
What can a CISO do until it is fixed? There are several mentioned, including this one from Microsoft: Use a firewall to block SMB packets from leaving the local network. The researcher who made the presentation admits this would prevent credential leaks, but added that it isn’t very practical in the age of employee mobility and cloud computing. A host-based filtering solution would be more appropriate, he feels.
The firewall integrated into Windows can be used to block SMB packets on ports 137, 138, 139 and 445 from going out on the Internet, but still allow them on the local network so it doesn’t break file sharing, he added.
Given the large number of organizations — particularly small and medium-sized firms — that use Active Directory, this is a big problem that needs to be addressed.