Google does their bit to help WannaCry and Petya live longer

Two weeks ago we posted that Microsoft was removing SMBv1 file sharing from future versions of Windows.  The vulnerable file sharing protocol was instrumental in making the recent WannaCry and Petya attacks so successful by allowing lateral spread on a Windows network to other Windows users without them even needing to open any attachments.
Microsoft has been deprecating the SMBv1 protocol since 2014, as it is inherently less secure than more recent versions of the file sharing protocol.
Google, with impeccable timing, has now released an SMB client for Android which is full featured, but only supports SMBv1, as confirmed by Android Police.
If widely adopted by enterprises it would make it more difficult for administrators to deactivate SMBv1 support on their network, and therefore place the Windows machines on the network at risk.
Microsoft’s Ned Pyle, who owns SMB, also reports that SMBv1 is vulnerable to Man in the Middle attacks, meaning even Linux and Android users who use a clean room implementation of SMB would be exposing users to being exploited.
“Linux users are not perfectly safe using this client, as the SMB1 client does not provide sufficient MitM protections unless carefully configured with UNC hardening (a feature likely not available or possible here, since this phone likely cannot use Kerberos, join active directory domains, and there isn’t an obvious way I see to configure signing). I would not recommend using any SMB client from any vendor that only supports SMB1,” he noted.
Google has been hitting Microsoft recently with a steady stream of security disclosures, making the ill-thought release of the Android Samba Client by Marketing @ Google not just odd but suspicious.
Hopefully, Google will do the right thing for their customers and follow Microsoft’s lead in deprecating SMBv1, for the safety of all concerned.

0 comments