The perfect trio, if you are a miscreant intent on making someones day horrible. For years we have known that IE was buggy, that Flash was a security hole no-one should use and Windows has how many new and variant malware a day (it’s one every 4.2 seconds, you do the math.)
But it is getting better, and part of that is Windows 10 is much more secure and people are starting to not use Flash and IE. Microsoft has proclaimed that IE is not a web browser and Adobe is telling people to not use Flash. And this is good except, parts of IE are embedded in everything Windows. From the desktop to file dialogs part of that code lives on. What bug or exploit as yet unknown is just sitting there ready for someone to use.
The “I can send you an email and get your password” bug, which we should have seen coming, is based on Microsoft’s use of the file:// url. But because so many companies use this still on their internal intranets which makes it that people still have to use IE. Firefox and Chrome won’t open that URL because file:// is a security risk. But we use them and the same problem exists in Outlook mail client because it shares either a library or code with IE.
It comes down to when Microsoft made their networking platform the only servers your computer could see were the company servers on your network. So it knew it could trust them. And to make things so that people could only see what they were allowed to see your computer had to identify you to that server with your username and the hash of your password. But it never really checked if that server was worthy. (It was/is encrypted .) They made the file:// URL. Skip ahead to the internet and we have certificates to identify servers and do encryption. But Windows sees a file:// url it doesn’t ask it just sends your username and password hash. So now it’s in emails, web pages, shortcuts (see the icon URL) so when you open a file dialog and go to a directory with a shortcut that has been editted so the url for the icon is a file:// URL there goes your username and password hash.
SO what you say? Um unless your password is 30 characters or longer and hasn’t already shown up in a dumped password list (or rainbow tables) it’s trivial to break it. Any good gaming computer now has a graphics card that can be used by password cracking software to break your password. And that gaming computer instead of the normal 2 or 4 CPU cores now has also the compute cores in the graphics card, likely 300 but there are some with up to 5 thousand cores. So instead of a few days to break a password with just a CPU it’s minutes on a gaming system. Access to a cloud compute system or the super computer at your place of employment and the limit goes up to 35 or 40 characters passwords to be safe.
Sorry if this is confusing I’m a bit sick today.