Video: When it comes to malware, Windows 10 is twice as secure as Windows 7
Microsoft has bound an vicious Outlook bug it’s famous about for over a year, able of leaking cue hashes when users preview a Rich Text Format (RTF) email with remotely hosted OLE objects.
The bug, reported by CERT/CC disadvantage researcher Will Dormann in Nov 2016, was finally bound in yesterday’s Patch Tuesday release.
The risk to passwords stems from how Outlook handles RTF email with Object Linking and Embedding (OLE) objects that are hosted on a remote SMB server.
SMB (Server Message Block) is a network file-sharing protocol. SMB servers can use Microsoft’s NT LAN Manager (NTLM) authentication custom for substantiating a tie between a Windows customer and an SMB server.
In 2016, Dormann detected that Microsoft didn’t request a same restrictions on calm installed from a remote SMB server as it did for web-hosted content.
Download now: Password government policy
Outlook won’t, for example, automatically bucket web-hosted images in email given it might trickle a client’s IP residence and metadata sum such as a time a email is viewed.
However, this prevision isn’t benefaction in Outlook when recipients preview an RTF email summary with an OLE intent installed from a remote SMB server.
Dormann detected that a OLE-SMB unfolding also leaks most some-more than a user’s IP address. As shortly as a email is previewed, a PC automatically negotiates an SMB event with a potentially antagonistic remote SMB server, that in spin leaks a client’s IP address, domain name, user name, horde name, and a SMB event pivotal in a form of an NTLM over SMB cue hash.
The immediacy of a hazard from such an conflict would count on a strength of a target’s password.
Dormann’s exam with dual cue crackers on a mid-range GPU burst elementary passwords like ‘test’ within seconds. All lower-case incidentally generated letters could be burst in only 16 minutes, while an eight-character passphrase with mixed-case letters, digits, and black would take during slightest one year with this minimal set-up.
However, Dormann records that Microsoft’s repair for a vulnerability CVE-2018-0950 doesn’t forestall all remote SMB attacks.
Instead of loading a remote image, a assailant could send a aim a Universal Naming Convention (UNC) couple commencement with ‘\’ to approach a user to a antagonistic SMB server, that will still automatically start an SMB event that leaks a same data. But a plant would need to click a couple rather than merely preview a email.
Related: 20 pro tips to make Windows 10 work a approach we want (free PDF)
He recommends installing a Microsoft patch though advises admins to take other precautions, including restraint specific TCP and UDP ports for incoming and effusive SMB sessions, blocking NTLM singular sign-on to outmost resources, and requiring users to use longer passphrases over passwords.
Microsoft has supposing patches for 63 vulnerabilities in this month’s update, including 22 vicious flaws.
Previous and associated coverage
Just scanning a specially-crafted record could lead to a totally compromised Windows machine.
Attackers can use a custom bug in Windows RDP to take event authentication and take over a network domain.
Microsoft removes Equation Editor from Word after anticipating some-more attacks on Office users.
New Windows 10 build includes fixes for unbootable AMD CPUs for those who didn’t patch them manually.
Microsoft is safeguarding Windows users from a Flash Player smirch exploited by suspected North Korean hackers.
The dismissal of a AV harmony checks will meant that rags to lessen a risk from Spectre and Meltdown attacks expelled given Jan will now be accessible to a wider operation of PCs.