Hackers have discovered a decades-old flaw on Windows 8 and 10 which could leak your Microsoft Account user name and hashed password to any website if you use Microsoft products like Edge or Outlook to access them.
The exploit would have hackers embed a image in a web page which loads from a SMB network share. The Microsoft product would try and load the network share resource, and and send the active user’s Windows login credentials, username and password to that network share. The username is send in plaintext, and the password as a NTLMv2 hash.
This presents two risks. Since your Microsoft account is now your user name in most cases your email address and therefore identitty can be leaked to random websites. More sophisticated hackers could also try and crack your password, which would put much more at risk.
The researches suggest 3 mitigations:
- Do not use Microsoft software to connect to web sites (e.g. Edge or Outlook). This may however not prevent all issues.
- Use a strong password that is not easy to crack.
- Use your firewall to block the SMB ports. By enforcing egress filtering on ports 137/138/139/445 and dropping any IP packet leaving the host with a destination matching any of those ports and having a public IP as a target host. This would obviously be more useful for home that business users.
Hopefully a fix will soon be on the way to address this serious issue.