Almost 2 decades ago (1997), Aaron Spangler discovered an Automatic Authentication Vulnerability (IE Bug #4) on WinNT/Win95. Although we can say it is vintage, the said issue still has not been addressed upto now. Unfortunatelythe said bug has been found to affect windows 8 and 10 which potentially leaksthe user’s Microsoft Live account credentials. At the same time, the said information is also being used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).
On hind sight, we have been vulnerable since the days of Windows 95/NT. Sad to say, Windows 8 and newer are effectively compromised. Here is a link of the public demonstration of the exploit (click here)
In a nutshell, the default User Authentication Settings of Edge/Spartan (also IE and outlook) lets it connect to local network shares, however erroneously fails to block connections to remote shared.
To take hold of this exploit, you just have to set up a network share.
Next step is to embedded image link that points to that network share which is then sent to the victim, for example as part of an email or website.
Once this is opened up using a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image.
Unfortunately, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.
Although this has been known for a long time, its severity has crept in only lately.
Way back, the attacker would have only obtained your local Windows login data, but in Windows 10, the default login method is the user’s Microsoft Live account. An attacker may have to resort to GPU-assisted hash-cracking to retrieve the password from the NTLMv2 hash (or even not), but the result can be as thorough as full compromise, including the mentioned Microsoft services and even remote access.
To avoid this, it is highly recommended that you use a firewall, strengthen your Microsoft Live account password and avoid using Microsoft products such as Edge/Spartan, Internet Explorer and Outlook, as well as VPN connections over IPSec, which may leak VPN credentials in the same way. As of this writing, Firefox and Chrome are not affected.
