Researchers Discover SMB Security Flaw in All Windows Versions

Security firm Cylance has reportedly uncovered a Windows security issue that could lead to attackers stealing user credentials.

The flaw, which the Irvine, Calif.-based security company calls "Redirect to SMB," could lead to a man-in-the-middle attack by intercepting communications between a Windows-based machine and a legitimate Web server. Researchers at Cylance said the flaw is very similar to another Windows security issue found in the late 1990s.

"The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word 'file' (such as file:// to Internet Explorer  would cause the operating system to attempt to authenticate with a SMB server at the IP address," wrote the company in a blog post."It's a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network."

Attackers would have to gain access by having a targeted user click on a malicious e-mail link or harmful Web ad that connects a system to a server controlled by the attackers. The company said the flaw can be found in every version of Windows, including the previews of Windows 10, and could be executed with the use of one of the 31 vulnerable software packages discovered, which includes Adobe Reader, Apple QuickTime, Internet Explorer and Windows Media Player, to name a few.

While the team has been able to provide proof of concept for the flaw, it said that there have been no known attacks using the Redirect to SMB flaw. It suggests that outbound traffic from TCP 139 and TCP 445 be blocked. Cylance also called out Microsoft for not patching the SMB server issue when it was first discovered.

"Microsoft did not resolve the issue reported by Aaron Spangler in 1997," wrote Cylance. "We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack."

Microsoft responded in a statement saying the SMB flaw was not as serious as Cylance claims due to the difficulty attackers would have when attempting to take advantage of the vulnerability. "Several factors would need to converge for a 'man-in-the-middle' cyberattack to occur. Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature," said Microsoft in a statement to Reuters. "There are also features in Windows, such as Extended Protection for Authentication, which enhances existing defenses for handling network connection credentials."

About the Author

Chris Paoli is the site producer for and


  • Malwarebytes Affirms Other APT Attack Methods Used Besides 'Solorigate'

    Security solutions company Malwarebytes affirmed on Monday that alternative methods besides tainted SolarWinds Orion software were used in the recent "Solorigate" advanced persistent threat (APT) attacks.

  • How To Fix the Hyper-V Read Only Disk Problem

    DOS might seem like a relic now, but sometimes it's the only way to fix a problem that Windows seems ill-equipped to deal with -- like this one.

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

comments powered by Disqus