The vulnerability previously disclosed in Windows could allow an attacker to steal the username and password of any logged-in user – simply by tricking a user into visiting a malicious Web site. harm.
But now a new evidence exploits just how easy it is to steal someone’s information.
This vulnerability is widely known, and it is thought to be nearly 20 years old. It is thought to have been discovered by Aaron Spangler in 1997 and most recently by researchers in the Black Hat annual conference, the annual security and hacking conference in Las Vegas.
The flaw was not a big deal until Windows 8 started allowing users to log into their Microsoft accounts, linking their Xbox, Hotmail, Outlook, Office and Skype accounts.
Overnight, the attack was larger, and now it allows an attacker to conduct a full account of Microsoft.
This vulnerability works because Internet Explorer and Edge (on Windows 10) allow users to access the local network but do not completely block connections to remote shares.
To exploit this, a hacker must trick the user into visiting a special site in Internet Explorer or Edge (on Windows 10) to indicate that they have a private network share. The browser will silently send the username and password hashes to the network, then can be stolen and stolen.
If the password is weak, they can be easily uninstalled and used to log into the user account. A password is strong enough if it has enough capslock and lowercase letters, numbers and special characters. If your password is not strong enough then you should change Hotmail password http://hotmailentrarlogin.org/change-hotmail-password/
The vulnerability could also be triggered by sending a victim email message to Microsoft Outlook users.
Perfect Privacy, a virtual private network (VPN) provider, said in a blog post that VPN connections were also affected. If a user visits a website while they are connected to a VPN, their credentials will also be leaked, potentially affecting the user’s anonymity.
The group has set up a mining site using a hashed username, domain and password (if it’s an easy guess, it only takes a few seconds).
We were able to verify on three computers in our lab using separate Microsoft disposable account logins. It is unclear where the data is sent, so we strongly recommend that you do not send your certificate to the site.
In group, there is a slight reduction. Do not use Internet Explorer, Edge, or Microsoft Outlook and do not log on to Windows using a Microsoft account.
Chrome and Firefox users are not affected.
A Microsoft spokesman has suggested that the company will not patch the vulnerability.
“We know about this information-gathering technique, previously described in an article in 2015. Microsoft released instructions to help protect customers and, if necessary, sung, “the spokesman said.