MS09-013 and MS09-014: NTLM Credential Reflection Updates for HTTP clients

This month we are taking another step towards blocking NTLM reflection attacks by releasing MS09-014 for Internet Explorer and MS09-013 for Windows. This is the third update related to NTLM credential reflection we have released, and I thought it would be good to go into a bit more detail on why this update was needed, how it relates to the previous updates (MS08-068 and MS08-076), and the severity of the issue.

Background on the prior updates:

In November 2008, we released an update for SMB that prevented so-called “SMB Reflection” attacks. These attacks target the SMB protocol used for file and printer sharing, and allow an attacker to gain access to a victim’s machine with the same rights as the logged-on user. If the user has administrator permissions, then the attacker can take complete control of the victim’s machine. (For more details see the previous blog entry on MS08-68 here. The history of this issue is covered on the MSRC blog here).

The MS08-068 update protected SMB from this attack by causing the SMB client in Windows to opt-in to the reflection protections that NTLM offers. This allows the NTLM sub-system to detect when challenge values are replayed to the same machine, and fail the attacker’s authentication.

The MS08-076 update fixed a similar issue in the Windows Media components.

This month’s HTTP update:

Other protocols support sending NTLM credentials. For each protocol that has valid attack vectors, we have been working for some time on updates that block reflection attacks. This is a complex process involving changes that affect widely-used protocols and risk application compatibility, so rigorous testing was needed.

In the case of HTTP, Internet Explorer supports sending NTLM credentials automatically over HTTP when communicating with a web-server in the Intranet zone. This has been used in external tools to perform cross-protocol attacks as follows:

  • The victim connects to the attacker’s web-server

  • The attacker’s machine initiates an SMB connection to the victim

  • The attacker forces the victim’s browser to respond to the SMB connection’s request for authentication using NTLM.

The reason this attack works even with MS08-068 installed is that the client performing NTLM authentication in this case is HTTP, not the SMB client. The updates we are shipping this month block the above attack by making the HTTP client APIs correctly opt-in to NTLM reflection protections.

Issue Severity:

Note that attacks targeting this issue only work in the Intranet zone – Internet Explorer will not send credentials automatically in the Internet zone. This limits attacks to coming from within the same subnet or from the same internal network. Possible attackers in be “malicious insiders” or machines that were compromised using an unrelated security vulnerability.

For the attack to lead to a compromise of the target, SMB traffic must also be allowed inbound. This mean hosts that are behind firewalls that block SMB traffic, or that block it at the host firewall, will not be vulnerable to the most common NTLM reflection attacks that target SMB.

Machines that are not joined to a domain are also less vulnerable to this attack due this setting which forces local users to authenticate as the Guest user on the network.


It should now be clear that MS08-068 and this month’s update are part of a larger effort to secure NTLM against reflection and replay attacks. There is more work to do before we can say we have truly solved the problem, and future updates will continue to improve the security of our products in this respect.

– Mark Wodrich, MSRC Engineering

*Postings are provided “AS IS” with no warranties, and confers no rights.*