The problem is that a Windows Explorer Shell Command File or SCF (.scf) – a text file that launches commands – requires no user action and can be used to trick Windows into an authentication attempt to a remote SMB server, which then gathers victims’ usernames and Microsoft LAN Manager (NTLMv2) password hash, Stankovic wrote.
This is enough personal data, he explained, to launch account breaches on Windows systems. For enterprises using Microsoft Exchange and which use NTLM as an authentication strategy, the bug could enable SMB relay attacks, where the bad actors could pose as the victim and thus gain access to networks without a password.
When a number of anti-virus solutions were tested, none captured the downloaded file as suspicious.
To disable automatic downloads in Google Chrome, Stankovic recommended the following preferences be checked: Settings -> Show advanced settings -> Check the Ask where to save each file before downloading option.