It's no surprise that a number of exploitable security holes still exist in the operating systems we use each and every day. It's just the nature of the beast; we're talking about software that has hundreds of millions of lines of code. Despite a developer's best efforts, it's virtually impossible to release bulletproof software - with all the moving pieces it's just far too complex.
What is a bit of a surprise, though, is knowing that a vulnerability exists and that a major corporation (seemingly) has no interest in patching it up. That's the only conclusion we can draw from a bug that still exists in Windows - and it has existed for nearly two decades.
The exploit is rather simple in design: an attacker needs to embed a network share URL in a webpage, which tricks the browser into thinking that the file source is on the user's own network. The result is that the browser will try to authenticate the share to access the file, which can result in the user details being sent in plain text over the Internet.
The only saving grace here is that the credentials being leaked are hashed, but if you're using a simple one, it could be cracked in a matter of seconds. At the website linked in the image below, VPN provider Perfect Privacy has a proof-of-concept that you're able to test out, in either Internet Explorer or Edge.
In a personal test, I was deemed secure, but a colleague who ran the test did in fact get their password spit back at them. Fortunately for them, it was a local password only, as they don't log into Windows with their Microsoft account.
Now, imagine if someone's password leaked and they were logged into a Microsoft account. That means the attackers could suddenly gain access to that person's entire life inside of Microsoft - email, Xbox, Office, and so on. That's more than unsettling for some.
The moral of the story here? Considering the fact that this exploit requires Internet Explorer or Edge to prove successful, it would seem that avoiding those browsers would be a good start. The ultimate fix is obviously Microsoft patching the exploit, hopefully sooner than later. It has been nearly two decades, after all.