Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Bypasses HOSTS File

Posted by ryuzaki0 on from the they-know-what's-best dept.

whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."

4 of 459 comments (clear)

  1. Re:Is this necessarily a bad thing? by Morvandium · · Score: 5, Informative

    I agree. In addition, as much as I may think they should include other sites on that list, those other sites do not play into what MicroSoft sees as the "integrity" of their product. They're not out to make sure that you can get the latest update of Apache or OpenOffice or whatever; they want to make sure that you can update Windows to the latest version (one that might actually stop the malware they're trying to protect from) or get to a place where you can ask MicroSoft a question (which they may or may not answer, and if they do, the answer to which may or may not be helpful), or, heaven forbid, get to a place where you can order a new MicroSoft product (probably because you haven't realized it will have similar flaws to your current and older MS products).

    --
    "If God's on our side, he'll stop the next war." -- Bob Dylan
  2. Re:Yet Another Band-Aid? by idesofmarch · · Score: 5, Informative

    The solution exists. Running as standard user in Windows XP will prevent changes to the hosts file.

  3. Route to null by PlusFiveTroll · · Score: 5, Informative

    If the adware can change your hosts file then this is pretty useless anyway. Now all the software has to do is run a script that does the following

    nslookup whatever.microsofts.domains
    takes the list of return addresses and
    route ADD destination MASK mask INVALID INVALID INVALID foreach

    and your traffic to MS wont even leave the network card.

  4. Re:Not a useful thing for MS to do by x0n · · Score: 4, Informative

    >What is there to stop a virus making edits to the dll binary? Changing the strings that presently
    >correspond to the IP addresses of MS domains to some random, invalid address?

    Yes, there is a mechanism built into Windows which uses digital signatures and a watchdog to prevent accidental (or deliberate) changes to sensitive DLLs. Any binary changes to any file will invalidate the signature on the DLL. This is more effective than tripwire or other such things whereby a checksum is held in another location since the DLL itself is signed using a PK and cannot be re-signed to hide the changes.

    Windows File Protection: http://support.microsoft.com/?kbid=222193

    - Oisin

    --

    PGP KeyId: 0x08D63965