CATEGORIES
home News

Decades Old Windows Password Flaw Is Still Haunting Windows 10 Users

by Rob WilliamsSaturday, August 06, 2016, 01:45 PM EDT

It's no surprise that a number of exploitable security holes still exist in the operating systems we use each and every day. It's just the nature of the beast; we're talking about software that has hundreds of millions of lines of code. Despite a developer's best efforts, it's virtually impossible to release bulletproof software - with all the moving pieces it's just far too complex.

What is a bit of a surprise, though, is knowing that a vulnerability exists and that a major corporation (seemingly) has no interest in patching it up. That's the only conclusion we can draw from a bug that still exists in Windows - and it has existed for nearly two decades.

Windows 10 Desktop Wallpaper

The exploit is rather simple in design: an attacker needs to embed a network share URL in a webpage, which tricks the browser into thinking that the file source is on the user's own network. The result is that the browser will try to authenticate the share to access the file, which can result in the user details being sent in plain text over the Internet.

The only saving grace here is that the credentials being leaked are hashed, but if you're using a simple one, it could be cracked in a matter of seconds. At the website linked in the image below, VPN provider Perfect Privacy has a proof-of-concept that you're able to test out, in either Internet Explorer or Edge.

In a personal test, I was deemed secure, but a colleague who ran the test did in fact get their password spit back at them. Fortunately for them, it was a local password only, as they don't log into Windows with their Microsoft account.

NTLM Exploit Test

Now, imagine if someone's password leaked and they were logged into a Microsoft account. That means the attackers could suddenly gain access to that person's entire life inside of Microsoft - email, Xbox, Office, and so on. That's more than unsettling for some.

The moral of the story here? Considering the fact that this exploit requires Internet Explorer or Edge to prove successful, it would seem that avoiding those browsers would be a good start. The ultimate fix is obviously Microsoft patching the exploit, hopefully sooner than later. It has been nearly two decades, after all.

Tags:  Microsoft, security, Windows 10, (nasdaq: msft)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment