Security firm Cylance has uncovered a new variation on an old weakness in Microsoft's Windows operating system that could allow hackers to steal login credentials from PCs. The vulnerability, named 'Redirect to SMB' by security firm Cylance, is similar to one found in the late 1990s that took advantage of a weakness in Windows and Microsoft's Internet Explorer browser which made it possible for attackers to trick Windows into signing on to a server controlled by hackers.

According to Cylance, if a hacker can get a Windows user to click on a bad link in an email or on a website, it can essentially hijack communications and steal sensitive information once the user's computer has logged on to the controlled sever.

Cylance said users could be hacked without even clicking on a link, if attackers intercept automated requests to log on to a remote server issued by applications running in the background of a typical Windows machine, for example to check for software updates.

The attack takes advantage of features in Windows Server Message Block. The new variation, discovered by Cylance researcher Brian Wallace, has so far only been recreated in the laboratory and has not been seen on computers in the outside world.

The CERT unit of the Software Engineering Institute at Carnegie Mellon University, a federally funded body which tracks computer bugs and internet security issues, issued a warning about the vulnerability on Monday.