Slashdot Log In
Microsoft Bypasses HOSTS File
Posted by
CmdrTaco
on Sun Apr 16, 2006 11:10 AM
from the they-know-what's-best dept.
from the they-know-what's-best dept.
whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites.
The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Not a useful thing for MS to do (Score:5, Interesting)
(Last Journal: Sunday January 22 2006, @06:55AM)
If you are trying to stop MS software from talking to home, then just use an external firewall.
Michael
I couldn't reproduce this on Win2K. (Score:4, Interesting)
I recommend this anyway. In theory it will increase the number of requests your machine does. But in practice it has saved me a lot of "try rebooting" calls.
Anyone out there with XP who can reproduce this?
Re:I couldn't reproduce this on Win2K. (Score:5, Interesting)
(Last Journal: Monday April 03 2006, @07:23PM)
Good idea, but no luck. Same result, though with one slight difference which might prove useful as a workaround - The first attempt timed out, meaning it really performs the query rather than having a hardcoded list of IP mappings. So if you ran a cacheing DNS proxy on your machine (ie, exactly what the built-in DNS service does, but one not containing a built-in Microsoft hack), pointed your machine's DNS to itself, and tell the proxy to use a bogus address for the sites in question, that should successfully block them.
Better to do this at the firewall, though (a real external hardware firewall, not Microsoft's "trust us, this works" crap).
Re:Not a useful thing for MS to do (Score:4, Interesting)
(Last Journal: Thursday September 30 2004, @01:33AM)
Re:Not a useful thing for MS to do (Score:5, Informative)
(http://www.nivot.org/ | Last Journal: Monday March 15 2004, @10:18PM)
>correspond to the IP addresses of MS domains to some random, invalid address?
Yes, there is a mechanism built into Windows which uses digital signatures and a watchdog to prevent accidental (or deliberate) changes to sensitive DLLs. Any binary changes to any file will invalidate the signature on the DLL. This is more effective than tripwire or other such things whereby a checksum is held in another location since the DLL itself is signed using a PK and cannot be re-signed to hide the changes.
Windows File Protection: http://support.microsoft.com/?kbid=222193 [microsoft.com]
- Oisin
Is this necessarily a bad thing? (Score:5, Interesting)
It's a Big Deal because... (Score:5, Insightful)
(Last Journal: Saturday February 25 2006, @11:02PM)
Why? Maybe someone will get a comment from MS.
The point is that mucking around with the inner workings of the OS is BAD, unless it is documented appropriately. Now, documentation doesn't make it good, but if they're departing from the expected behavior, they should let people know.
Re:Is this necessarily a bad thing? (Score:5, Informative)
(http://qmt.ath.cx/)
Re:Is this necessarily a bad thing? (Score:5, Funny)
(http://www.milksucks.com/ | Last Journal: Monday September 15 2003, @12:30PM)
and already you feel qualified to comment
Re:Is this necessarily a bad thing? (Score:5, Insightful)
Microsoft has:
instituted not only License 6, but also "phone home" validation. At any time, MS may
decide to shut down any business worldwide that uses their products, at their (or a
malviolent government's) discretion;
embraced and extended(tm) LDAP with kerberos authentication that is not industry-
standard or cross-platform compatible;
embraced and extended(tm) web browser standards that have made Internet and
platform security a nightmare;
implimented a software firewall (XP SP2) that doesn't actually control/restrict all
incoming and outgoing packets, making the use of a third party (H/W?) firewall
less redundant and more actually necessary;
stripped nearly all OS improvements out of their upcoming flagship OS, excepting
Digital Rights Restrictions -- which may also remotely disable or remove products
and/or services which they choose to disallow for any reason.
Bypassing DNS and the hosts file on the OS platform is their "camel's nose under the
tent flap" for future modifications to the network stack, all in the name of their brand
of "security", which is (frankly) appalling. Given Microsoft's current product direction,
it is not outside the realm of possibility that the future average computer user's
experience will be some cross between a WebTV and an XBox.
So what? (Score:4, Insightful)
Re:So what? (Score:5, Funny)
(http://www.thebedells.org/)
Ad blocking (Score:5, Interesting)
(http://blerg.net/)
Permissions? (Score:5, Insightful)
(http://libtom.org/)
-rw-r--r-- 1 root root 519 Oct 19 12:13
....
Why can't windows just make the host files read only.
Re:Permissions? (Score:5, Insightful)
(http://libtom.org/)
So
Think about it.
Tom
Re:Permissions? (Score:5, Insightful)
(Last Journal: Wednesday March 27 2002, @09:26PM)
Which leads us back to the primordial Windows security problem: users running with admin priviledges.
In the example you provided in the previous post,
As far as I know Windows host file is only writable by Administrator level (dunno, I don't have a Windows machine with me right now). Is it otherwise?
Re:Permissions? (Score:4, Informative)
You're absolutely right about the root problem as running everything as admin. Almost all the malware that I've seen fails miserably unless run as admin, and that which does run can't infect the entire system. I guess the users that know enough to run as a normal user are the same ones that avoid that crap in the first place.
Re:Permissions? (Score:5, Funny)
Think about it.
Dear Tom,
this is Slashdot and the term "think" does not apply.
Re:Permissions? (Score:5, Insightful)
(http://vftp.net/ | Last Journal: Saturday December 09 2006, @09:52PM)
It'd take the malware makers about an hour to find any of the what, probably 80 holes that would let them go around such windows security. A back-and-forth battle like that could easily go on for months if not years. In unix, security and permissions are the foundation, on top of which everything is built. In windows, security is a hack that was added on later with no due consideration during the initial design phase of windows. It's no wonder it's next to impossible to get it to work the way you want it to.
When you are designing security, the sad truth of it is, the user is the enemy. There's no nicer way to look at it. So it takes a great deal of care to design a security system that can withstand the assult of a user while at the same time being functional and serving the user. It's too late for windows to make those design considerations. They have errored on the side of functionality and sacrificed the security of the system. There is no fixing that.
Re:Permissions? (Score:5, Insightful)
(http://www.liquidshells.net/)
conspiracy-theorists, start your engines! (Score:1)
(http://www.isecore.net/)
Potentially unfair... (Score:5, Insightful)
(Last Journal: Tuesday March 09 2004, @01:55AM)
Let us say that Joe User gets a piece of Malware, so he decides to visit a security company to find a solution to his problem. However, the malware has modified his hosts file to block security company web pages from being accessed, which is extremely typical. Joe User is not experienced enough to even know there is a hosts file that he could change back.
Joe User's first attempt would likely be to norton.com, symantec.com (both go to Symantec's main page), or mcafee.com, since these names are pretty much synonymous with antivirus software. However, all of those are blocked and he can't access them.
However, if he goes to microsoft.com, he can go there since the hosts file is subverted in the OS. Since he can't spend the time to figure out why he can't access the others, he purchases Microsoft's AV solution.
Yet Another Band-Aid? (Score:5, Insightful)
Rather than having to ignore the HOSTS file because it may be malicious, shouldn't the solution be to prevent HOSTS from getting mangled in the first place?
(oh, and on an unrelated note: why on earth is the Win32 HOSTS file buried away under C:\Windows\System32\Drivers\etc\? I mean.... 'drivers'?!!? Bizarre.
Re:Yet Another Band-Aid? (Score:5, Informative)
Re:Yet Another Band-Aid? (Score:5, Interesting)
(http://www.last.fm/user/schmod)
This is one of the telltale remaints of the BSD-derived [kuro5hin.org] TCP/IP stack that NT/XP uses.
Although the stack itself has been heavily modified, using
MSN (Score:2, Insightful)
(http://slashdot.org/ | Last Journal: Monday August 20, @10:21AM)
The other hosts are used in Microsoft's patch distribution network and honestly is not something the average user would ever need to block. It is, however, something a virus/spyware program would love to block. So, if you want to block those hosts, buy a firewall, they're down to about $20.
As for MSN, my only guess is that they don't want to block updates for MSN messenger.
What we have to remember is that these sites are required to fix a broken system, so I don't view this as just an advantage for MS antispyware.
How is this a competitive advantage? (Score:2)
(http://jeke.fdns.net)
Smart move from M$ (Score:3, Insightful)
An automatic update of WMP and your PC gets owned, and nothing can be done to prevent it!
Would be ok... (Score:3, Insightful)
Cheers, Fogger
Route to null (Score:5, Informative)
(http://www.hificans.com/)
nslookup whatever.microsofts.domains
takes the list of return addresses and
route ADD destination MASK mask INVALID INVALID INVALID foreach
and your traffic to MS wont even leave the network card.
Interference with my sig! (Score:4, Funny)
(http://www.xs4all.nl/~dverbeek)
Now I'll have to include a disclaimer...
Just another reason to continue using a more robust system :)
Sensationalism (Score:3, Insightful)
Nothing prevents you from not using the operating system's resolver. Its trivial to implement your OWN DNS client in your programs, bypassing any HOSTS settings and other DNS resolver issues.
I've never seen so many people who were so clueless and misinformed about the technical issues involved here.
Sensationalist Junk (Score:2)
The problems with this (Score:2, Insightful)
Hotels on Park Place (Score:2)
(http://slashdot.org/~Doc%20Ruby/journal | Last Journal: Thursday March 31 2005, @01:48PM)
MS products not behaving as expected (Score:1)
(http://www.octools.com/)
FUD flying low again (Score:3, Insightful)
So this is going to be celebrated as the hack against malware that keeps you from updating. Ohhhh great. Ok, next move from the malware writers is simply to keep a thread running that checks if something is coming in from the "unwanted" sites. If so, it's deleted before execution. Problem solved.
There is no techical solution for social problems.
how long? (Score:2)
(http://elitemrp.net/)
So whats the big deal (Score:2, Informative)
Completely irrelevant (Score:1, Insightful)
The network guru's solution (Score:2)
(Last Journal: Monday February 20 2006, @09:53AM)
ip route [offending block] Null0
router ospf 1
redistribute static subnets route-map MSFT-GO-AWAY-NO
route-map MSFT-GO-AWAY-NO
mat ip addr prefix-list LOSER-MONOPOLIST
ip prefix-list LOSER-MONOPOLIST permit [offending block]
From memory, but should work under IOS. You have to be root on my desktop to change
Lawsuit (Score:1)
(http://www.zorix.us/)
Which is more important? (Score:2)
What I really don't like about this (Score:2)
(http://www.randombit.net/)
I assume this is actually undocumented behaviour, since I haven't seen anyone claim to have known about it before now, nor can I find any references on MSDN about it. Having unintuitive and undocumented behaviour is exactly the sort of thing that makes it very hard to gain a correct mental model of how a system behaves, and if you don't even understand how the system works I don't see how one can secure or troubleshoot the system in a way that isn't essentially "shotgun debugging".
My $.02
rest of the FD thread (Score:3, Interesting)
(http://www.vanitydomainsarelikeso20thcentury.org/)
This is normal (Score:1)
(Last Journal: Monday May 07 2007, @06:51AM)
This bit me in the... (Score:1)
He wanted anything not explicitly approved by him to be blacklisted and specifically named msn.com and a few other popular office time-waster sites (yahoo, etc.). It was through this process that I discovered that neither content advisor nor manipulation of the hosts file will block msn.com or other Microsoft sites. As MS has never made it public knowledge that you cannot block these sites in this manner I ended up looking rather foolish when I couldn't black-list. I had guessed at that time what was actually happening but I had no proof of documentation on which to fall back.
At least I reduced the list propagation time by setting up the list on one machine and pushing the registry to the remainder but the damn thing never did work right, it was such a hack job and I'm ashamed of it when I look back in retrospect. I wish they'd let me do it right.
If MS had disclosed this change (along with the Content Advisor change) I wouldn't have felt so foolish.
Pah (Score:2)
(http://excession.spiral-arm.org/jay/)
Apple seems to do the same with OS X (Score:1, Informative)
Try creating a host entry over configuration.apple.com on 10.4.6.
they dont care (Score:1)
Well (Score:2)
The hosts file is there to provide name-to-address translation for crucial hosts which might be needed before DNS is available. It has no features like pattern matching or blocking by address range, because that's entirely out of its scope.
Another side effect of abusing the hosts file is ambiguous errors. Because access to ad servers in the hosts file is not "blocked" but rather redirected to 127.0.0.1, you are twisting semantics about why this or that URL doesn't work now.
If you need to block networks/URLs by pattern and for HTTP only, you should use a proxy like squid.
I won't even begin to rant how using the hosts file for more than 1 computer is phenomenally stupid. Seriously, the guy who came up with this abuse should be severely beaten over with a cluestick.
</rant>
Worst Possible Behavior (Score:2)
(http://lists.clickers.org/linuxsig/index.html | Last Journal: Friday November 09, @11:00PM)
I'm gobsmacked by this: corrupting the resolver is little short of an intentional dns poisoning attack. It's as if internet explorer had special code in it to see if you were doing an internet search for 'microsoft products' and then altered the results to only return favourable reviews that microsoft wanted you to see.
Actually, it's exactly like that. Special cases, which can be added or subtracted on Windoze update, can effectively censor the internet for you. Imagine they intermittently broke connections to sites they did not like. The user would never know, the site would be blamed and abandoned. That nasty and it's exactly what M$ likes to do to their perceived competition.
What version of DNS??? (Score:1)
So what? (Score:2)
They aren't spying on you any more than they already were. They're ensuring that you can always get to their sites for patches and support. They aren't doing it for anyone elses sites because it's not their business to do that.
I just really don't see what the big deal on this is, your average user will never use the hosts file, and you need to get to Microsoft sites to patch and maintain your microsoft system. If you don't want to deal with Microsoft don't use their OS, they're not doing anything particularly wrong here.
It still works for localhost, though (Score:1)
(http://www.shanman.net)
For example:
127.0.0.1 localhost www.microsoft.com
PING www.microsoft.com resolves to 127.0.0.1 (and succeeds
and http://www.microsoft.com/ [microsoft.com] fails (resolvs to 127.0.0.1 then redirs to a search)
Move it to it's own line, and the "trigger" kicks in.
I'm running WXP SP2 (w/ all the latest patches)
ANYONE can Do this! The Functions are Documented (Score:3, Informative)
(http://testing.onlytherightanswers.com/ | Last Journal: Sunday July 31 2005, @12:41AM)
http://msdn.microsoft.com/library/default.asp?url
Also you can defeat a Host file by simply changing the priority of lookups using the registry, more here:
http://www.dslreports.com/forum/remark,15900699~d
Let them over-rule the HOST file ... (Score:2)
What's that URL you want to look up?
Where do you want to have that packet sent? Oh, THAT IP, huh? Sure, I will.
Bwahahaha!
Use Treewalk DNS instead (Score:3, Informative)
(http://www.visceralpsyche.com/)
http://treewalkdns.com/ [treewalkdns.com]
Allows you to bypass Windows' own DNS server and gives you the useful feature of making DNS queries much quicker than resolving to your ISP all the time, among other benefits.
Very easy to install for Joe User and just as easy to uninstall.
HTH
Spyware using an LSP can circumvent this I'm sure (Score:1)
cooool (Score:1)
this is just the beginning folks - be ready for the rest with vista - drm and trusted computing are so cool - now you will get spam from only companies that pay microsoft more money to send spam.
here is a solution to this problem - buy linux and you will be in control of your own computer.
Slashdot can be so hypocritical (Score:2)
What would you rather they did? I mean they could've not added these features - would that be better? They're NOT going to offer to extend these protections to their competitors - that's less evil to consumers but more evil to shareholders - what could they have done that would be less evil?
if third party software wants to do this (Score:2)
(http://www.p10link.net/plugwash/)
so no real competitive advantage
M$ Modus (Score:1)
This works better than anybody else's methods.
When someone else starts to use it,
M$ changes it.
It is undocumented, so it is ok to chang it, WITHOUT NOTICE.
The other company's stuff crashes.
M$ Profit!!
-- They did this to WordPerfect and Lotus, now only Office survives.
What about ipsec? (Score:2)
If they also bypass ipsec that could mean real trouble. The organization I work for has told the employees not to upgrade to XP SP2 due to software incompatibility issues (I had to anyway, as I'm running SQL Server 2005 & VS 2005 which required SP2, and I'm not sure just what's supposed to be incompatible with what).
If an organization chose to try to use ipsec to distribute blocking filters as part of their security policy and MS bypassed them, I'd think there'd be some issues with that...
Haven't tried it yet, but may get around to it sooner or later...
Re:Hm? (Score:1)
Monopolies (Score:5, Insightful)
(http://zoeshire.com/ | Last Journal: Thursday October 31 2002, @05:12PM)
Now they are using that same monopoly power to take over the anti-malware market.
I'm rather ambivilent about this. On one hand, it is just one more case of Microsoft waiting for a market to mature, then forcing their way into it. On the other hand, this market wouldn't exist if it wasn't for their own shoddy products, so it's really Microsoft's reponsibility to fix it. However, malware protection software isn't the correct answer, it's just the most expedient, with a potential for additional profit.
All-in-all, it's just Microsoft's usual game: own the system, rig the system, use that to take over another system. Keep secrets, and act all coy when your secrets are discovered.
Re:Monopolies (Score:4, Insightful)
Back in the day, Netscape was developing web applications. This was kind of scary for Microsoft, as this shifted the focus away from the operating system and to the browser. Back then, Netscape ran on almost everything (Windows, Mac, Linux, BSD, OS/2, etc), and if in the future the user did all their work under web applicatons, then suddenly the underlying OS would become less important. Why spring for a Windows license to run Netscape when you could download Linux for free?
So Microsoft's response was Internet Explorer. At first it seemed that Microsoft was going with the Netscape route of supporting multiple platforms, but they quickly killed off everything but IE for Windows (Except for the Mac version, which lingered on quite a bit longer before finally getting axed). From there they made their browser not quite standards compliant (but close enough to get people to switch to it), and created ActiveX. They then integrated all of this into Windows and their respective server software. This made it easy for people to create Web applications and content that only worked properly under Internet Explorer for Windows, and many of these ended up being made - particularly for company intranets. At first, this seemed great for companies that basically ran Windows everywhere, but it also locked them into Microsoft's software. This is likely one of the reasons why Windows is still so dominant on the desktop, and is also one of the main reasons why in the bizarro-land of slashdot circa April, 2006, Mac users are so excited about running Windows on their Apple machines.
Of course, the threat of Web applications is coming around again, with open standards like XML threating to make your choice of OS less revelevent, and even your choice of browser unimportant (so long as it supports the open standards). I'm not sure what Microsoft has in store for this round (if anything), as IE7 seems to be too little, too late - and the popularity of Linux and OSX growing.
So in conclusion, Internet Explorer wasn't so much about crushing Netscape Navigator, as it was about crushing Web applications that could run everywhere.
Re:legitimate use? (Score:2)
(http://wilmer.gaast.net/)
Re:They control the haiku (Score:4, Interesting)
Windows xp still better
need to run useful software
Mac and Linux are toys
that is not quite right
both the troll and the haiku
are somewhat lacking
but please understand
Mac and Linux are not toys
just other systems
Windows has problems
while it does have more software
it is insecure
please try something else
you might find that you like it
don't stagnate yourself
if end users switch
developers will follow
more software for all
so please help yourself
and help the rest of the world
try something else
if you don't like them
that is your prerogative
simply don't use them
but I'm warning you
going back is much harder
but it is your choice
other OSes
few viruses and malware
true computing bliss
as for poetry
haiku sylable count is
5-7-5
Re:WHY? (Score:5, Funny)
(Last Journal: Sunday March 02 2003, @12:09PM)
Re:They control the vertical, and the horizontal (Score:2)
Re:Uh, what?! (Score:2)
Your argument assumes a one to one relationship between hostname and IP address. There just aren't enough addresses in a 4 byte address range (actually a lot less in practice) for every server, and every client to have it's own address. Many web servers host multiple web sites under different hostnames, in different domains, on the same IP address. You need to to use the hostname for these sites as that's how the server determines which of the many sites it hosts to give you.
Take my site - http://www.muttsnutts.com/ [muttsnutts.com] It's hosted on my ISP's web server along with hundreds of others. Lookup the address:-
ANSWER SECTION:
www.muttsnutts.com. 14400 IN A 84.92.1.5
Then try http://84.92.1.5/ [84.92.1.5] - you get the default site.
Second, the reverse may be true - try doing a dig or nslookup of www.google.com - you'll get different addresses every time (or the same ones in a different order):-
ANSWER SECTION:
www.google.com. 278479 IN CNAME www.l.google.com.
www.l.google.com. 30 IN A 216.239.59.147
www.l.google.com. 30 IN A 216.239.59.99
www.l.google.com. 30 IN A 216.239.59.103
www.l.google.com. 30 IN A 216.239.59.104
ANSWER SECTION:
www.google.com. 278492 IN CNAME www.l.google.com.
www.l.google.com. 43 IN A 216.239.59.99
www.l.google.com. 43 IN A 216.239.59.103
www.l.google.com. 43 IN A 216.239.59.104
www.l.google.com. 43 IN A 216.239.59.147
Granted, Microsoft could engineer their sites so that the IP address would work, but this places some severe restrictions on their web server farm's scale. As a couple of other posters mentioned - you could block the traffic in the routing table anyway, or just buy an external firewall and block the traffic there.
I don't like the smell of this - especially as they didn't document it. It may seem harmless enough, or even beneficial, but is the first step onto a slippery slope. You probably agree to it in the EULA when you install though.