light bulb

Did You Know?



Reply
Posts: 4,434
Topics: 2,762
Kudos: 5,426
Registered: ‎06-12-2013

Critical design flaw in Active Directory could allow for a password change

Microsoft contends the general issue has been long-known, but Israel-based Aorato has developed a working attack

By Jeremy Kirk

 

Microsoft's widely used software for brokering network access has a critical design flaw, an Israeli security firm said, but Microsoft contends the issue has been long-known and defenses are in place.

Aorato used public information to craft a proof-of-concept attack that shows how an attacker can change a person's network password, potentially allowing access to other sensitive systems, said Tal Be'ery, its vice president of research.

"The dire consequences we are discussing -- that an attacker can change the password -- was definitely not known," said Be'ery in a phone interview Tuesday.

About 95 percent of Fortune 500 companies use Active Directory, making the problem "highly sensitive," Aorato wrote on its blog.

The company's research focuses on NTLM, an authentication protocol that Microsoft has been trying to phase out for years. All Windows versions older than Windows XP SP3 used NTLM as a default, and newer Windows versions are compatible with it in combination with its successor, Kerberos.

 

Full Article

Sr. Community Leader

Posts: 8,454
Topics: 579
Kudos: 7,042
Registered: ‎02-03-2012

Re: Critical design flaw in Active Directory could allow for a password change

[ Edited ]

Thanks Jeff I was just reading that article via a MVP channel so looks like another big patch needs to come out at some point. Also from PCWorld: http://www.pcworld.com/article/2454103/critical-design-flaw-in-active-directory-could-allow-for-a-pa...

 

Daniel :smileywink:

coollogo_com-133794099.gif


asapvip.png  SigSVIP.png EPA.png


Webroot® SecureAnywhere™ Internet Security Complete Beta v8.0.7.33 on my main system Windows 7 Ultimate 64bit & on Win XP 32bit, Win Vista 32bit, Win 7 32bit, Win 8.1 Pro 32bit & 64bit, Win 10 Preview 32bit & 64bit Build 9926 all on VM's also on my HTC One M8 Android Lollipop 5.0.1 Phone v3.6.0.6652.


MVP.gif.png Microsoft® MVP Consumer Security


Twitter.png Untitled-1.png Community-Badges-BetaTester.png