Recently an earlier disclosed flaw in Windows can easily allow a hacker to steal usernames and passwords of any signed-in user in Windows. Not only that, the hacker could simply trick the users into visiting a malicious website which sends usernames and passwords to the hacker.

Microsoft Won’t Fix Severe Flaws In Windows That Lets Hackers Steal Your Password

A long time ago, when computers were single-core and worked fine with 256 MB RAM, and network running Windows have been used very widely, the guys from Microsoft have thought that it would be convenient to authenticate only once, when you start your computer and access to internal resources occurred would automatically without entering a password and have made the so-called SSO (single Sign-on).

The Single Sign-On work is very simple, when the user tries to access any resource with the NTLM-authentication (standard authentication method in Windows networks), the operating system immediately sends the domain name, account name and hash of the password of the current user, and if by that data log failed, it displays the dialog box enter the username and password.

Hence, a bug in Windows could allow any hacker to steal usernames and passwords for each user logged in, simply just by visiting a malicious website.

The defect was in the system about 20 years ago, but thanks to Aaron Spangler who found the flaw in 1997 which is revived in 2015 at Black Hat annual meeting of cyber security in Las Vegas.

As soon as you try to open a link in the SMB-resource standard browser (Internet Explorer, Edge) or any application running through API Windows standard calls or using Internet Explorer as the engine to display HTML (Outlook, Windows Explorer), SMB-share right It gets your account information before you see a dialog box of username and password.

The problem was not considered major until the Windows 8 allowed users to log in with their Microsoft accounts, which links their accounts of Xbox, Hotmail, Outlook, Office, and Skype among others.

Hence, the attack became larger in scope recently and allows the attackers to perform a complete acquisition of a Microsoft account. The default browsers work because Internet Explorer and Edge (in Windows 10 ) allow the user to access local shared network resources, but not completely block connections to remote shared resources.

To take advantage of this, hackers might trick the user to visit a webpage created especially for Internet Explorer and Edge that leads to its own network. The browser will silently send usernames and passwords to the hacker, which can be collected quickly. If the passwords are weak, they can be easily decoded and can be used to access user accounts.

“We are aware of this technical information collection, as previously described in an article published in 2015. Microsoft published a guide to help protect customers and if necessary, we will take additional measures , ” said a spokesman for Microsoft .

What is the solution?

‘Perfect Privacy’, a provider of virtual private network (VPN) said in a blog that there is a way to avoid this problem, stop using Internet Explorer, Edge, or Microsoft Outlook and do not log on to Windows with any Microsoft account. But, users of Chrome and Firefox are not affected.