Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Credential Leak Flaw


  • Please log in to reply
17 replies to this topic

#1 kelkay

kelkay

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:52 PM

Posted 05 August 2016 - 01:28 PM

Understanding the Windows Credential Leak Flaw and How to Prevent It

 

This article on Bleeping Computer tells us we need to make a change in the Group Policy Editor.  I have Win10 Anniversary Update, and do not see Group Policy Editor on my computer at all. 

 

http://www.bleepingcomputer.com/news/security/understanding-the-windows-credential-leak-flaw-and-how-to-prevent-it/



BC AdBot (Login to Remove)

 


#2 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:05:52 PM

Posted 05 August 2016 - 01:37 PM

If you have Win 10 Home Edition, the Group Policy Editor is not included.


We are drowning in information - and starving for wisdom.


#3 JohnC_21

JohnC_21

  • Members
  • 24,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 PM

Posted 05 August 2016 - 01:39 PM

As noted in the article's comment section Windows 10 Home does not include the Group Policy Editor.

 

Cortana defaults to Edge on any Search and the Anniversary Edition supposedly has Web Searches on by default with no way of disabling it except through a registry edit.



#4 kelkay

kelkay
  • Topic Starter

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:52 PM

Posted 05 August 2016 - 02:23 PM

So this is a problem.  Win10 Home Edition doesn't have a group policy editor, but that was said by someone in a comment below the article.  This is the first I've heard of this issue. 



#5 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:05:52 PM

Posted 05 August 2016 - 02:47 PM

I can confirm that the group policy editor is not included in Windows 10 Home Edition.  I was trying to figure out a way to make a shutdown sound play (and never met with success with that, despite all the help I received here and elsewhere) and needed it then.  I tried to install it, which worked, but which also triggered errors when running SFC and since I knew I didn't need group policy editor by that point I restored back to the pre-install state.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#6 yu gnomi

yu gnomi

  • Members
  • 532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago suburb
  • Local time:04:52 PM

Posted 06 August 2016 - 01:20 AM

from http://www.tenforums.com/windows-10-news/58328-windows-attack-can-steal-your-logged-username-password.html ,

 

go to Control Panel -->Internet Options -->Advanced Tab , scroll down to near bottom of list, un-check Enable Integrated Windows Authentication

 

then go to one of the test site in the OP's article and verify that you are immune.



#7 n2fc

n2fc

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:52 PM

Posted 06 August 2016 - 08:52 AM

Also note that a restart is required after changing the option:  Enable Integrated Windows Authentication

for it to take effect...



#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:52 PM

Posted 06 August 2016 - 09:14 AM

Thanks...That's good to know. Will update my article here:

 

http://www.bleepingcomputer.com/news/security/understanding-the-windows-credential-leak-flaw-and-how-to-prevent-it/#comments

 

I wonder if this setting would prevent the leak in Outlook as well?



#9 kelkay

kelkay
  • Topic Starter

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:52 PM

Posted 06 August 2016 - 09:24 AM

Yu gnomi and n2fc  THANK YOU SO MUCH.  So this only effects EDGE or IE?  I changed the Enable Integrated Windows Authentication

 setting.  Why isn't this the Windows default?  I am perturbed to say the least this wasn't fixed in Win10, and certainly the newer Anniversary Update. 

 

I fixed the problem, thanks to you guys.  ALSO... If not for that article, I wouldn't have had a clue about this.


Edited by kelkay, 06 August 2016 - 06:55 PM.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:52 PM

Posted 07 August 2016 - 06:30 PM

We sure about the Integrated Auth? I just disabled it in IE in Windows 10, rebooted, and credentials still being disclosed.



#11 yu gnomi

yu gnomi

  • Members
  • 532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago suburb
  • Local time:04:52 PM

Posted 07 August 2016 - 10:42 PM

I disabled IE on my Windows 10, so I have just been using Edge. I changed the Enable Integrated Windows Authentication setting after applying the gpedit fix you suggested in your write-up. 

 

I have since re-edited the restrict NTLM:outgoing NTLM traffic to remote servers to Allow All, while leaving Enable Integrated Windows Authentication unchecked.

 

Going to Perfect Privacy's test page I get this:Screenshot%20%283%29.png?dl=0

 

When I go to ValdikSS's test page I get this:

Screenshot%20%284%29.png?dl=0

 

Followed by:

Screenshot%20%286%29.png?dl=0

 

On my PC, disabling Enable Integrated Windows Authentication seems to be sufficient. I suppose that on other people's machines, there could be other settings at play than just that one, but I am not familiar enough with this feature to even guess what those might be.



#12 n2fc

n2fc

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:52 PM

Posted 08 August 2016 - 07:11 AM

Keep in mind that it is the MS account credentials that are at issue!  Are you using a LOCAL account?  If so, this is a non-issue, anyway!

 

I ONLY use local accounts, so my system will not have that data to leak!



#13 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 08 August 2016 - 07:47 AM

Keep in mind that it is the MS account credentials that are at issue!  Are you using a LOCAL account?  If so, this is a non-issue, anyway!

Maybe it's not that simple... apparently other login details may also leak!

 

While this is not a VPN related issue, it also affects VPN connections: When using an IPSec VPN connection, a successful attack will not reveal your Windows credentials but the username and password of your VPN connection. While this does not affect the security of the encryption of the VPN tunnel, it may compromise the anonymity of the VPN user. Also VPN login credentials of company VPNs (e.g. for external service agents) may fall into the hands of an attacker.

Source: Security Issue in Windows leaks Login Data

 

Also read the article in this BC topic for extra info.

 

Greets!  :wink:



#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA

Posted 08 August 2016 - 08:02 AM

Keep in mind that it is the MS account credentials that are at issue!  Are you using a LOCAL account?  If so, this is a non-issue, anyway!

 

I ONLY use local accounts, so my system will not have that data to leak!

 

Though Microsoft accounts have the most impact, local account credentials will leak too.  This could still be used by attackers who have access to a physical machine.

 

Not sure why we are having mixed reports about Integrated Auth. I can't seem to get it to work, so I still suggest using the policies as the safest measure to protect yourself.



#15 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 08 August 2016 - 03:15 PM

OK, did some testing...
 
Windows 7 Ultimate (x64) VM in VirtualBox + newly created administrator account + tested with IE 11

Testpage: Perfect Privacy's Test Page

VM was reset after every test!

 
Test 1 : No settings changed...

result = leaking

 

Test 2 : Integrated Windows Authentication = unchecked + restarted the VM

result = leaking

 

Test 3 : Added RestrictSendingNTLMTraffic (Value data = 2) to registry

result = not leaking

 

Test 4 : Group Policy Editor, Outgoing NTLM traffic to remote servers (Deny all)

result = not leaking

 

Hope this helps!  :wink:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users