Microsoft is today closing off a vulnerability that one Chinese researcher claims has “probably the widest impact in the history of Windows.”
Every version of the Microsoft operating system going back to Windows 95 is affected, leaving anyone still running unsupported operating systems, such as XP, in danger of being surreptitiously surveilled.
According to Yang Yu, founder of Tencent’s Xuanwu Lab, the bug can be exploited silently with a “near-perfect success rate”, as the problems lie in the design of Windows. The ultimate impact? An attacker can hijack all a target’s web use, granting the hacker ”Big Brother power”, as soon as the victim opens a link or plugs in a USB stick, claimed Yu. He received $50,000 from Microsoft’s bug bounty program for uncovering the weakness, which the researcher has dubbed BadTunnel. Microsoft issued a fix in its Patch Tuesday list of updates.
“Even security software equipped with active defense mechanisms are not able to detect the attack,” Yu told. “Of course it is capable of execute malicious code on the target system if required.”
Yu, who is one of only three ever recipients of more than $100,000 Microsoft bounty, said there are myriad ways a hacker could exploit the flaw. “This vulnerability can be exploited through Edge, Internet Explorer, Microsoft Office and other third-party software on Windows,” Yu added. “It can also be exploited through web servers … or even through thumb drives – insert the thumb drive into one of the ports on the system and the exploitation is complete.”
How the attack works
Yu said a successful exploit of the flaw would spoof connections over NetBIOS, a tool originally developed by IBM that that allows software on different computers to communicate with one another over a local area network (LAN). Though the attack would take place on the target’s LAN, it does not require the hacker to sit on that network. It can even succeed when there are firewalls in between users, as Windows trusts connections from any IP address when certain NetBIOS queries are made, according to Yu.
The researcher found it was possible to guess the right identifier for a network device (known as a transaction ID) and therefore set up trusted interactions across the network. That meant it was possible to redirect the target’s traffic to his own PC. This was possible as an attacker could make it seem like their machine was a network device, such as a local printer server or file server.
Not only could the hacker spy on non-encrypted traffic, they could intercept and tamper with Windows Update downloads. And they could inject further attacks in webpages visited by the victim. For instance, they could ensure that the “tunnel” between the target and the hacker would remain open by inserting code into webpages cached by the browser.
Yu believes his findings are the first of their kind. “This is probably the very first time in the history to successfully hijack the broadcast protocol within local area network from the internet,” he added. “This is probably the very first time in the history to successfully create a tunnel to pass through firewall and network address translation (NAT) devices, and attack intranet devices directly from the internet.”
Ollie Whitehouse, technical director at cyber security and risk mitigation specialist NCC Group, suggested the weaknesses would be difficult exploit due to the need to “chain” different vulnerabilities. But Yu claimed that as long as the hacker understood the principles of the attack chain, they could write an exploit in just 20 minutes.
Users running supported Windows versions should update as soon as they can. For those running unsupported versions of Windows, such as XP, the researcher recommended disabling NetBIOS over TCP/IP. Microsoft has step-by-step guidance for just that on its TechNet site. Blocking outbound connections over the NetBIOS port 137 would have a similar effect. Yu is due to present his findings at the Black Hat conference in Las Vegas this August.