As a Linux user I have kept Windows 7 & 8 partitions in my laptop and workstation disks for years because there used to be time where you needed Windows in the work for some programs to work and some documents to open.<p>Windows 10 upgrade push made me to realize that that time passed a long time ago. Last time I booted to Windows for other reason than playing a game was seven years ago. LibreOffice works well with MS documents and you can always use them from Google drive.<p>Windows has lost it's grip for good.
And people wonder why some of us haven't upgraded from Windows 7.<p>Win10 tries <i>really hard</i> to make you log into your desktop with your Live Account credentials - you can't use the store without this. Whereas if it were just leaking a local login it would be much less critical.
Until a fix is released, this can be mitigated by blocking outbound TCP connections on ports 139 and 445.<p>Individual users can do this using by setting up suitable outbound rules in the Windows Firewall with Advanced Security snap-in (wf.msc).
Somehow I'm not surprised, neither by the way it's broken nor the neglect on Microsofts part on this issue...<p>Pretty much every non-standard Microsoft-only approach to things seem to be broken one way or another, only to be fixed after someone threatens to expose and exploit it. I know it's gotten better in recent years, but the fact that it's still something that seems to be pushing from the outside in, instead of being part of the manufacturer's culture is shining through rather harshly.
Microsoft should fix this ASAP.<p>You should enable Two-factor Authentication (2FA) on your account.<p><a href="https://support.microsoft.com/en-us/help/12408/microsoft-account-about-two-step-verification" rel="nofollow">https://support.microsoft.com/en-us/help/12408/microsoft-acc...</a>
tl;dr: Simply accessing a website with Edge leaks the user name and password hash to the attacker site. They mention that this is also default behaviour in Spartan, Internet Explorer, Outlook (though I do not know how effectively it can be delivered to something like Outlook).<p>Works on up to date Windows 10 and Edge (there is an online test if you're vulnerable). If you don't use the listed software, you're probably completely safe (maybe there is other Microsoft software that does this, though?). If you don't use your Microsoft Live Account as a Windows account, you're safe (someone then just finds out the hash of your local password).<p>EDIT: Interestingly, Edge on the Xbox One is not vulnerable. It seems like the behaviour on the console is different.
>Edge, Spartan, Internet Explorer (just saying..)<p>Why does he keep repeating "Spartan?" That was Edge's codename. Now its just Edge. Is he's referring to the engine that can be embedded into other applications? If so, its called EdgeHTML.
The articles recommends that you "strengthen your Microsoft Live account password", but if I understand the vulnerability it is only exposing the hash of your password?<p>If it's only exposing the hash, why should you make your password stronger?
This is fun to write for yourself; small SMB client to couple a unique file request to the credentials and website showing the info retrieved via SMB; I think I found my weekend project :)
Just to clarify the article a bit:<p>Your password hash is not sent over the wire. What is sent over the wire is the NTLMv2 response message. This, simplified, is: HMAC_MD5(Hash | challenge). If you want the gory details, check out MS-NLMP.<p>That said, a dictionary-attackable password + attacker with fast GPUs can still brute-forcing the HMAC, then attack the password hash (MD4). It's a bit harder than just banging on a simple hash, though not terrifically difficult.
Does this affect Microsoft software on macs? We use Outlook on our macbooks at work and I'm wondering if a single mass email can get everyone's Exchange password, or at least the md5sum of their passwords.
Huh, their evile 31337 haxx0r background looks like a blatant copyright violation. It's artwork based on a video game cover. Previously also "stolen" by the BBC: <a href="http://www.gamesradar.com/wait-did-bbc-use-thief-art-illustrate-story-about-hacker/" rel="nofollow">http://www.gamesradar.com/wait-did-bbc-use-thief-art-illustr...</a> (since then apparently replaced, <a href="http://www.bbc.com/news/technology-33442419" rel="nofollow">http://www.bbc.com/news/technology-33442419</a> )<p>Also available for illegitimate at <a href="http://www.shutterstock.com/pic-389962378/stock-photo-hacker-and-computer-virus-concept.html" rel="nofollow">http://www.shutterstock.com/pic-389962378/stock-photo-hacker...</a> or <a href="http://www.shutterstock.com/pic-345906527/stock-photo-dangerous-hacker-stealing-data-concept.html" rel="nofollow">http://www.shutterstock.com/pic-345906527/stock-photo-danger...</a>