Zoom patches Windows vulnerability that let attackers steal your Windows login from dodgy chat links

Originally published at: https://boingboing.net/2020/04/03/zoom-windows-login.html

…

Isn’t this as much a Windows issue as it is a Zoom issue? Why does Windows allow any app to have that kind of access?

It’s a bit of both: It is Windows’ fault because the trick relies on getting the OS to use old-school NTLM authentication against the attacker’s SMB server. If(as is recommended but not default out of box because it breaks a bunch of things) you make sure that doesn’t happen you are OK.

It’s not a good look for Zoom because it’s customary to at least try to keep the phishing and malice links down to a dull roar when operating a chat mechanism that has lots of arbitrary people thrown together to dump things freely into the chat window; and it has been a de-facto rule that there is no safe or sensible reason to see SMB exposed on the public internet; so, as filtering goes, “unless the participants are on the same LAN that should definitely get scrubbed” is fairly clear cut.

(edit: specifically, you want “Send unencrypted password to third-party SMB servers” set to “disabled”, which is the default; “LAN Manager authentication level” set to “Send NTLMv2 response only. Refuse LM and NTLM”, which is not the default; and “Outgoing NTLM traffic to remote servers” set to “disabled”, with a specific whitelist if required by your environment, which is definitely not the default.

You probably also want outbound port 445 to die at the firewall(which is why this attack is particularly unpleasant against work-from-home targets, since that’s a lot more likely to be properly configured on the company network than trusty Linksys); and it’s never a bad idea for SMBv1 to be off. Having “Microsoft network client: Digitally sign communications (always)” set to “enabled” is probably also good.)

This topic was automatically closed after 5 days. New replies are no longer allowed.