Microsoft Bypasses HOSTS File 459
whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites.
The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."
Not a useful thing for MS to do (Score:5, Interesting)
If you are trying to stop MS software from talking to home, then just use an external firewall.
Michael
I couldn't reproduce this on Win2K. (Score:4, Interesting)
I recommend this anyway. In theory it will increase the number of requests your machine does. But in practice it has saved me a lot of "try rebooting" calls.
Anyone out there with XP who can reproduce this?
Re:I couldn't reproduce this on Win2K. (Score:5, Interesting)
Good idea, but no luck. Same result, though with one slight difference which might prove useful as a workaround - The first attempt timed out, meaning it really performs the query rather than having a hardcoded list of IP mappings. So if you ran a cacheing DNS proxy on your machine (ie, exactly what the built-in DNS service does, but one not containing a built-in Microsoft hack), pointed your machine's DNS to itself, and tell the proxy to use a bogus address for the sites in question, that should successfully block them.
Better to do this at the firewall, though (a real external hardware firewall, not Microsoft's "trust us, this works" crap).
Re:I couldn't reproduce this on Win2K. (Score:3, Interesting)
Just an update - I just set up exactly such a proxy (DNRD) on my masq'ing gateway, and it works like a charm. So MS hasn't done anything too sophisticated to get around blacklisting them, just enough to count as a nuissance.
Re:Not a useful thing for MS to do (Score:3, Informative)
Re:Not a useful thing for MS to do (Score:4, Interesting)
Re:Not a useful thing for MS to do (Score:5, Informative)
>correspond to the IP addresses of MS domains to some random, invalid address?
Yes, there is a mechanism built into Windows which uses digital signatures and a watchdog to prevent accidental (or deliberate) changes to sensitive DLLs. Any binary changes to any file will invalidate the signature on the DLL. This is more effective than tripwire or other such things whereby a checksum is held in another location since the DLL itself is signed using a PK and cannot be re-signed to hide the changes.
Windows File Protection: http://support.microsoft.com/?kbid=222193 [microsoft.com]
- Oisin
Re:Not a useful thing for MS to do (Score:3, Insightful)
Try looking at it in reverse. (Score:3, Insightful)
Is this necessarily a bad thing? (Score:5, Interesting)
It's a Big Deal because... (Score:5, Insightful)
Why? Maybe someone will get a comment from MS.
The point is that mucking around with the inner workings of the OS is BAD, unless it is documented appropriately. Now, documentation doesn't make it good, but if they're departing from the expected behavior, they should let people know.
Re:It's a Big Deal because... (Score:3, Insightful)
Stated like you control and/or own the OS running on your machine. This is just another example showing how Microsoft feels they should be the ones to control your system. There are many examples of this. Patches for applications that change things in the core operating system are common. Why a patch for office should change things in the OS never made any sense. But then Micrsoft knows best.
Re:Is this necessarily a bad thing? (Score:5, Informative)
Integrity (Score:2, Interesting)
Which integrity might that be? The same integrity that allows malware to infect a machine to the point where it can poison the hosts file? The same integrity that spawned the anti-malware business in the first place?
Yeah. Microsoft is big on integrity, both moral and technical.
Re:Is this necessarily a bad thing? (Score:2)
I would assume that helps with product verification/activation. Without it would be simpler to mimic much of windows update with a localhost sever, and point back to your PC. With this in, you would probably need a second PC, and a external non microsoft based dns server.
I would more quiclkly give msft credit for protecting profit, than protecting from malware.
Re:Is this necessarily a bad thing? (Score:5, Funny)
and already you feel qualified to comment
Re:Is this necessarily a bad thing? (Score:3, Interesting)
Re:Is this necessarily a bad thing? (Score:5, Insightful)
Microsoft has:
instituted not only License 6, but also "phone home" validation. At any time, MS may
decide to shut down any business worldwide that uses their products, at their (or a
malviolent government's) discretion;
embraced and extended(tm) LDAP with kerberos authentication that is not industry-
standard or cross-platform compatible;
embraced and extended(tm) web browser standards that have made Internet and
platform security a nightmare;
implimented a software firewall (XP SP2) that doesn't actually control/restrict all
incoming and outgoing packets, making the use of a third party (H/W?) firewall
less redundant and more actually necessary;
stripped nearly all OS improvements out of their upcoming flagship OS, excepting
Digital Rights Restrictions -- which may also remotely disable or remove products
and/or services which they choose to disallow for any reason.
Bypassing DNS and the hosts file on the OS platform is their "camel's nose under the
tent flap" for future modifications to the network stack, all in the name of their brand
of "security", which is (frankly) appalling. Given Microsoft's current product direction,
it is not outside the realm of possibility that the future average computer user's
experience will be some cross between a WebTV and an XBox.
Re:Is this necessarily a bad thing? (Score:2, Insightful)
Re:Is this necessarily a bad thing? (Score:2)
Re:Is this necessarily a bad thing? (Score:3, Informative)
So what? (Score:4, Insightful)
Re:So what? (Score:5, Funny)
Re:So what? (Score:2)
I've often noticed that products that address issues similar to ones address in MS software find themselves fighting an uphill battle. Take the suggestion in the original post... MS has an immediate competative advantage by leveraging a feature built into the OS that can ONLY benefit other MS products. We've seen the same thing happen in other markets too, of course. Not least of which was with IE.
Ad blocking (Score:5, Interesting)
Re:Ad blocking (Score:2, Interesting)
Doesn't the adblock firefox extension just not display the images from certain hosts? Programs that block ads by editing the hosts file remove things before they even get to adblock. I suppose that's the real reason that I don't really think
Re:Ad blocking (Score:3, Informative)
Permissions? (Score:5, Insightful)
-rw-r--r-- 1 root root 519 Oct 19 12:13
....
Why can't windows just make the host files read only.
Re:Permissions? (Score:5, Insightful)
It'd take the malware makers about an hour to find any of the what, probably 80 holes that would let them go around such windows security. A back-and-forth battle like that could easily go on for months if not years. In unix, security and permissions are the foundation, on top of which everything is built. In windows, security is a hack that was added on later with no due consideration during the initial design phase of windows. It's no wonder it's next to impossible to get it to work the way you want it to.
When you are designing security, the sad truth of it is, the user is the enemy. There's no nicer way to look at it. So it takes a great deal of care to design a security system that can withstand the assult of a user while at the same time being functional and serving the user. It's too late for windows to make those design considerations. They have errored on the side of functionality and sacrificed the security of the system. There is no fixing that.
Re:Permissions? (Score:3, Insightful)
The whole admin/user philosophy is based on the religion called the "High Priesthood of the Computer Temple", where you have to make special requests to a special unique class of individuals who control computer resources.
As for PC operating systems, in particular Microsoft OS platforms, they were designed for independent system operations where t
Re:Permissions? (Score:2)
It's been hashed over several times before on
Re:Permissions? (Score:3, Insightful)
Re:Permissions? (Score:2)
In Unix, "root process can change the hosts file" would be rejected as NOTABUG, and the user would be told to use better security practices.
In Windows where Microsoft is in the awkward position of trying to protect t
Re:Permissions? (Score:3)
Re:Permissions? (Score:2)
You might want to look into the history of root before deciding that only on Windows was multi-user added on later.
Root is a design fault, it is not even necessary.
Re:Permissions? (Score:2)
Re:Permissions? (Score:5, Insightful)
Re:Permissions? (Score:5, Insightful)
So
Think about it.
Tom
Re:Permissions? (Score:5, Insightful)
Which leads us back to the primordial Windows security problem: users running with admin priviledges.
In the example you provided in the previous post,
As far as I know Windows host file is only writable by Administrator level (dunno, I don't have a Windows machine with me right now). Is it otherwise?
Re:Permissions? (Score:4, Informative)
You're absolutely right about the root problem as running everything as admin. Almost all the malware that I've seen fails miserably unless run as admin, and that which does run can't infect the entire system. I guess the users that know enough to run as a normal user are the same ones that avoid that crap in the first place.
Re:Permissions? (Score:2)
The next generation will patch dnsapi.dll.
Re:Permissions? (Score:5, Funny)
Think about it.
Dear Tom,
this is Slashdot and the term "think" does not apply.
Re:Permissions? (Score:3, Informative)
By MS doing this Host file management, they are admitting that most users don't use or know the host files, and the most probable reason for host file change, expecailly as it relates to MS, is an attack.
I should, in my user account have a wide variety of leeway. If I mess up, I or my qualified agent should be able to go to an admin acco
Re:Permissions? (Score:2, Insightful)
Only because people always need admin priveleges at the most inopportune times. Sure, you only need to be Admin for 2 seconds, but if you're doing anything technical with the system, you need them every 5-10 minutes. In these situations Run As is at best, cumbersome, and in many cases outright incapable.
If Windows wanted to be truly innovative there would be a way to supply an Admin password, temporarily upgrade privs to Admin, and
Potentially unfair... (Score:5, Insightful)
Let us say that Joe User gets a piece of Malware, so he decides to visit a security company to find a solution to his problem. However, the malware has modified his hosts file to block security company web pages from being accessed, which is extremely typical. Joe User is not experienced enough to even know there is a hosts file that he could change back.
Joe User's first attempt would likely be to norton.com, symantec.com (both go to Symantec's main page), or mcafee.com, since these names are pretty much synonymous with antivirus software. However, all of those are blocked and he can't access them.
However, if he goes to microsoft.com, he can go there since the hosts file is subverted in the OS. Since he can't spend the time to figure out why he can't access the others, he purchases Microsoft's AV solution.
Re:Potentially unfair... (Score:2)
</sarcasm>
I barely managed to type that with my bladder intact.
Re:Potentially unfair... (Score:2)
Yes but (Score:2, Interesting)
Apple won't allow others to create DRM enabled files that play on the iPod. Other mp3 players are prevented from being able to play songs bought on iTunes (unless you go the roundabout, dubiously legal (read the contract), route of ripping to CD and then copying the mp3's on there). This is all considered "fair" and a brilliant example o
Re:Potentially unfair... (Score:3, Insightful)
This is why antivirus/antispyware software should check for updates by IP address. If it can't find the update servers, only then should it do a DNS looku
Yet Another Band-Aid? (Score:5, Insightful)
Rather than having to ignore the HOSTS file because it may be malicious, shouldn't the solution be to prevent HOSTS from getting mangled in the first place?
(oh, and on an unrelated note: why on earth is the Win32 HOSTS file buried away under C:\Windows\System32\Drivers\etc\? I mean.... 'drivers'?!!? Bizarre.
Re:Yet Another Band-Aid? (Score:5, Informative)
Re: Wrong Wrong Wrong! (Score:3, Informative)
I admin a tiny number of desktops and not one of them worked with user-level permissions.
-Mysterious errors
-Application functions that simply did not work.
These are *very* generic XPSP2/Win2k desktops with Office 2K/2003.
Initially, I was not deterred. With every hurdle crossed with ugly hacks, there was yet another error with no documented solution.
Someone posted a link to NIST(?) documentation that I eventually used. It's by far the
Re:Yet Another Band-Aid? (Score:2)
Whew, that was hard. Can I take a break now?
Re:Yet Another Band-Aid? (Score:2)
Re:Yet Another Band-Aid? (Score:5, Interesting)
This is one of the telltale remaints of the BSD-derived [kuro5hin.org] TCP/IP stack that NT/XP uses.
Although the stack itself has been heavily modified, using
Re:Yet Another Band-Aid? (Score:2)
I think they're actually unrelated - and I don't think Microsoft has used a bsd derived TCP/IP stack since NT4.
Although the stack itself has been heavily modified, using
I'm actually pretty sure its there for the half-assed posi
Re:Yet Another Band-Aid? (Score:2)
Admittedly, Windows won't like you even trying to unload the dll, but if you can manage it, it'll be a 1 time reboot. After that, you're home free.
Re:Yet Another Band-Aid? (Score:2)
MSN (Score:2, Insightful)
The other hosts are used in Microsoft's patch distribution network and honestly is not something the average user would ever need to block. It is, however, something a virus/spyware program would love to block. So, if you want to block those hosts, buy a firewall, they're down to about $20.
As for MSN, my only guess is that they don't want to block updates for MSN messenger.
What we have to remember is that these sites are required to fix
Re:MSN (Score:3, Informative)
Yes it's propitiatory and closed source but at least free as in beer, shrug.
Anyway I only run Windows in a virtual pc. sandbox so it won't infect my real O.S.
How is this a competitive advantage? (Score:2)
Re:How is this a competitive advantage? (Score:3, Informative)
Smart move from M$ (Score:3, Insightful)
An automatic update of WMP and your PC gets owned, and nothing can be done to prevent it!
Re:Smart move from M$ (Score:3, Insightful)
Let me know if you manage the second one.
Re:Smart move from M$ (Score:3, Informative)
Re:Smart move from M$ (Score:2)
Would be ok... (Score:3, Insightful)
Cheers, Fogger
Route to null (Score:5, Informative)
nslookup whatever.microsofts.domains
takes the list of return addresses and
route ADD destination MASK mask INVALID INVALID INVALID foreach
and your traffic to MS wont even leave the network card.
Re:Route to null (Score:2)
Re:Route to null (Score:3, Informative)
Interference with my sig! (Score:4, Funny)
Now I'll have to include a disclaimer...
Just another reason to continue using a more robust system :)
Sensationalism (Score:3, Insightful)
Nothing prevents you from not using the operating system's resolver. Its trivial to implement your OWN DNS client in your programs, bypassing any HOSTS settings and other DNS resolver issues.
I've never seen so many people who were so clueless and misinformed about the technical issues involved here.
Re:Sensationalism (Score:2)
Sensationalist Junk (Score:2)
The problems with this (Score:2, Insightful)
Re:The problems with this (Score:2)
Problem is, Even Windows has problems with the limited user accounts. I tried setting up internet connection sharing, and I can't even connect to my ISP using a limited account.
Hotels on Park Place (Score:2)
Re:Hotels on Park Place (Score:2)
Re:Hotels on Park Place (Score:2, Insightful)
Re:Hotels on Park Place (Score:2)
Does this give Microsoft an advantage? Eh, maybe, but
FUD flying low again (Score:3, Insightful)
So this is going to be celebrated as the hack against malware that keeps you from updating. Ohhhh great. Ok, next move from the malware writers is simply to keep a thread running that checks if something is coming in from the "unwanted" sites. If so, it's deleted before execution. Problem solved.
There is no techical solution for social problems.
Re:FUD flying low again (Score:2)
Re:FUD flying low again (Score:2)
And yes, guarding your hosts file is important. IF, and only IF, you do it yourself and don't let some company do it. The reason for this lies in the shape of the threat.
The threat is that an attacker willingly alters your hosts file, trying to redirect you to some site. If you protect your hosts file by some means, you are safe from this. If, on the other hand, MS starts to protect the file, the attacker
Re: (Score:2)
So whats the big deal (Score:2, Informative)
rest of the FD thread (Score:3, Interesting)
ANYONE can Do this! The Functions are Documented (Score:3, Informative)
http://msdn.microsoft.com/library/default.asp?url
Also you can defeat a Host file by simply changing the priority of lookups using the registry, more here:
http://www.dslreports.com/forum/remark,15900699~d
Use Treewalk DNS instead (Score:3, Informative)
http://treewalkdns.com/ [treewalkdns.com]
Allows you to bypass Windows' own DNS server and gives you the useful feature of making DNS queries much quicker than resolving to your ISP all the time, among other benefits.
Very easy to install for Joe User and just as easy to uninstall.
HTH
Monopolies (Score:5, Insightful)
Now they are using that same monopoly power to take over the anti-malware market.
I'm rather ambivilent about this. On one hand, it is just one more case of Microsoft waiting for a market to mature, then forcing their way into it. On the other hand, this market wouldn't exist if it wasn't for their own shoddy products, so it's really Microsoft's reponsibility to fix it. However, malware protection software isn't the correct answer, it's just the most expedient, with a potential for additional profit.
All-in-all, it's just Microsoft's usual game: own the system, rig the system, use that to take over another system. Keep secrets, and act all coy when your secrets are discovered.
Sensationalist FUD (Score:2)
You can EASILY do this in your own programs by implementing your own resolver. Microsoft cannot and does not prevent you from doing this.
Microsoft is merely doing something smart. If other vendors cannot figure out this, its their fault. Microsoft shouldn't be penalized for being smart.
Re:Monopolies (Score:2)
How did Microsoft financially benefit from Internet Explorer's dominance? IE is and always has been a free product. More relevant to this topic, Windows Defender is free and probably always will be. Sure, other anti-malware software companies may suffer because their products are not so in demand, but so what?
Also, I do not even see this as an entry into another market, more of an eff
Re:Monopolies (Score:4, Insightful)
Back in the day, Netscape was developing web applications. This was kind of scary for Microsoft, as this shifted the focus away from the operating system and to the browser. Back then, Netscape ran on almost everything (Windows, Mac, Linux, BSD, OS/2, etc), and if in the future the user did all their work under web applicatons, then suddenly the underlying OS would become less important. Why spring for a Windows license to run Netscape when you could download Linux for free?
So Microsoft's response was Internet Explorer. At first it seemed that Microsoft was going with the Netscape route of supporting multiple platforms, but they quickly killed off everything but IE for Windows (Except for the Mac version, which lingered on quite a bit longer before finally getting axed). From there they made their browser not quite standards compliant (but close enough to get people to switch to it), and created ActiveX. They then integrated all of this into Windows and their respective server software. This made it easy for people to create Web applications and content that only worked properly under Internet Explorer for Windows, and many of these ended up being made - particularly for company intranets. At first, this seemed great for companies that basically ran Windows everywhere, but it also locked them into Microsoft's software. This is likely one of the reasons why Windows is still so dominant on the desktop, and is also one of the main reasons why in the bizarro-land of slashdot circa April, 2006, Mac users are so excited about running Windows on their Apple machines.
Of course, the threat of Web applications is coming around again, with open standards like XML threating to make your choice of OS less revelevent, and even your choice of browser unimportant (so long as it supports the open standards). I'm not sure what Microsoft has in store for this round (if anything), as IE7 seems to be too little, too late - and the popularity of Linux and OSX growing.
So in conclusion, Internet Explorer wasn't so much about crushing Netscape Navigator, as it was about crushing Web applications that could run everywhere.
Re:Monopolies (Score:2)
No they aren't.
Some genius at MS came up with this brilliant idea before MS had a malware detection tool.
Before WinXP SP2, a subverted HOSTS file could prevent Windows Update from running.
The hardcoded DNS entries were probably some misguided piece of MS's 'ooh look, SP2 is going to have great security' campaign.
So again: MS wasn't/isn't trying to abuse their monopoly. If you (or whoever modded you up) had RTFA, then it'd be ap
Don't you know they're useless now? (Score:2)
Now they're using a new, secret technology that controls you through your nose. Thankfully, I've designed new noseplugs that you can install in your nostrils, they're even almost invisible and throughly woven with gold and platinum. That makes them a little pricy, but it's the ONLY protection you can have!
O
Re:conspiracy-theorists, start your engines! (Score:2)
Ah, so one way to manipulate your critics into suppressing their viewpoint is by blanketly associating it with paranoid nutcases, thereby using 'fear of being labelled' to silence them, I see.
I'm not sure where the "conspiracy theory" here though is because this is established fact.
Re:legitimate use? (Score:2)
Re:They control the vertical, and the horizontal (Score:2)
Re:They control the haiku (Score:4, Interesting)
Windows xp still better
need to run useful software
Mac and Linux are toys
that is not quite right
both the troll and the haiku
are somewhat lacking
but please understand
Mac and Linux are not toys
just other systems
Windows has problems
while it does have more software
it is insecure
please try something else
you might find that you like it
don't stagnate yourself
if end users switch
developers will follow
more software for all
so please help yourself
and help the rest of the world
try something else
if you don't like them
that is your prerogative
simply don't use them
but I'm warning you
going back is much harder
but it is your choice
other OSes
few viruses and malware
true computing bliss
as for poetry
haiku sylable count is
5-7-5
Re:WHY? (Score:5, Funny)
Re:Well (Score:3, Insightful)
"Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file."
I already said why that's stupid anyway.
"All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware."
Well, malware authors are just going to replace the resolver function instead of aiming for