Computer security researchers said they have discovered a new variation in an old vulnerability in the Microsoft Windows operating system that cold allow hackers to steal login credentials from hundreds of millions of PCs.
This new security flaw in Microsoft's operating system, named "Redirect to SMB" by security firm Cylance, is actually a variation in a very old vulnerability first discovered in the 1990s that took advantage of a weakness in Windows and Microsoft's Internet Explorer browser. This vulnerability made it possible for attackers to trick Windows into signing onto a server controlled by hackers.
According to Cylance, all a hacker has to do is convince a Windows user to click on a bad link in an email or a website where it can then essentially hijack communications and steal sensitive information from a user's computer once it has logged on to a controlled server.
In this latest variation, users could fall victim to the security flaw without even knowing it. Windows users don't even have to click a bad link if the attackers can intercept automated requests to log into a connected server by applications running in the background of many typical Windows machines.
The attack takes advantage of features in the Windows Server Message Block, more commonly known as SMB. Thus far, security experts have yet to see this flaw being exploited in the outside world but have been able to successful reproduce this flaw in the laboratory.
Microsoft said that the threat posed to users by the weakness is not a great as Cylance claims.
"Several factors would need to converge for a 'man-in-the-middle' cyberattack to occur. Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature," said Microsoft in an emailed statement. "There are also features in Windows, such as Extended Protection for Authentication, which enhances existing defenses for handling network connection credentials."
The CERT unit of the Software Engineering Institute at Carnegie Mellon University, which is a federally funded body that tracks computer bugs and Internet security threats, issued a warning about the Windows vulnerability on Monday.
Currently there is no known full solution to the problem, but CERT has suggested ways to minimize the risk of the vulnerability. Microsoft will most certainly be releasing a patch in the coming days or, perhaps, weeks to fix the problem depending upon how long it takes the to track down the source of the security hole and plug it permanently.