Windows 8 and Windows 10 users could run afoul of this legacy bug as they enter their Microsoft Account credentials, according to a report from WinBeta. The issue is that services including Microsoft Edge, Internet Explorer, and Outlook allow connections to local network shares — but default settings don’t prevent connections to remote shares.
This could be exploited through the creation of a website or a scam email that uses content loaded from a network share. Microsoft’s web browsers and email clients would try load the network share resource, and in doing so, send the active user’s login credentials to that network share.
The report detailing this issue states that in this eventuality, usernames would be submitted in plain text, while the password would be hashed using the NTLMv2 protocol.
This problem was never such a threat in earlier versions of Windows, because users would log into their system with a local username and password. However, since Windows 8 and Windows 10 users log in with their Microsoft Account, there’s far more potential for this gap in security to be exploited.
The research team responsible for these findings recommends that users either adopt third-party services in place of their Microsoft equivalents for the time being, or use a “host-based hardening” technique detailed in their report.
However, it seems likely that Microsoft will deliver a fix as soon as possible, now that the issue has been detailed in this manner. The company just launched its much-hyped Windows 10 Anniversary Update on August 2, so now would be a good time to demonstrate an efficient response to security concerns such as this.
