News Categories

PSA: If you’re on Windows, BadTunnel is a critical vulnerability you need to patch

By Marcus Wong - on 22 Jun 2016, 4:57pm

PSA: If you’re on Windows, BadTunnel is a critical vulnerability you need to patch


Yang Yu, the director of Tencent’s Xuanwu Lab has discovered a vulnerability that affects all versions of Windows released over the last two decades. 

Dubbed “BadTunnel”, the vulnerability allows the NetBIOS Name Service used by Windows applications to communicate with other computers on the same LAN network to be spoofed, meaning an attacker could potentially hijack all network communications, including but not limited to web access, Windows Updates, and Microsoft Crypto API Certificate revocation list updates.

While the obvious points of attack would be all versions of Internet Explorer, Microsoft Edge, and Microsoft Office, Yang’s report states that the exploit can also be executed through many third-party applications, and even anywhere on a file URI scheme or UNC path. Which means that even something as innocuous as an application shortcut could be used to trigger a BadTunnel attack. Further, the exploit can also be activated through web pages, emails, and thumb drives, so even Web servers and SQL servers can be attacked. 

As Yu told Dark Reading, BadTunnel isn’t a typical coding-error flaw: it’s a combination of issues that together allow for an exploit. “This vulnerability is caused by a series of seemingly correct implementations, which includes a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices,” Yu explains.

On his part, Yu has duly notified Microsoft ahead of releasing his findings, and they have made the necessary fixes in their latest patch released on 14 June’s Patch Tuesday. However, Windows XP users will still have to manually disable NetBIOS over TCP/IP to be safe.

Yu has been awarded US$50,000 from Microsoft in bug bounty for spotting the vulnerability, and intends to release more details in a technical paper that will be presented at Black Hat USA 2016 next week. 

Sources: Tencent Xuanwu lab blog, International Business Times,


Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.