Microsoft Account Credentials Leak vulnerability

What would you say if I told you that an almost two decade old vulnerability in Windows may leak your Microsoft Account credentials when you visit a website, read an email, or use VPN over IPSec?

A bug, that goes all the way back to Windows 95 is causing major issues on Windows 8 and Windows 10.

Basically, what happens is the following: Microsoft Edge, Internet Explorer, Outlook and other Microsoft products allow connections to local network shares. What the default settings don't prevent on top of that is connections to remote shares.

An attacker could exploit this by creating a website or email with an embedded image or other content that is been loaded from a network share.

Microsoft products like Edge, Outlook or Internet Explorer try to load the network share resource, and send the active user's Windows login credentials, username and password to that network share.

The username is submitted in plaintext, the password as a NTLMv2 hash.

Microsoft Account Credentials Leak vulnerability

There are two main issues that arise from that. First, the account data is exposed to third parties which may try cracking the hash to recover the user password.

Second, since account information leak, it may very well be a privacy issue especially if Tor or VPN services are used to improve privacy while on the Internet.

The reason why the attack is more promising under Windows 8 and newer is that Microsoft accounts are the default sign in option on those systems. This means that Microsoft account credentials are leaked to the network share, and not a local username and password.

A proof of concept web page is available which will test the underlying system to find out whether it is vulnerable or not. Please note that a successful attack will submit the Windows username and password to a third-party site. Click here to open the demo site.

Mitigation

The best course of action is to use third-party products instead of Microsoft products for the time being. While this may work in some situations, it won't in others.

The researchers who discovered the issue suggest to configure Windows Firewall in this case to protect against these attacks.

In addition to network perimeter firewalls, we therefore advocate for a host based hardening thanks to the Windows Firewall present in any Windows machine running at least Windows XP SP2. By enforcing egress filtering on ports 137/138/139/445 and dropping any IP packet leaving the host with a destination matching any of those ports and having a public IP as a target host, we offer a more consistent protection against those attacks.

Also, making sure that the password strength is sufficient to make brute force attacks less of an issue. 

Now You: Do you use Microsoft software?