Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Bypasses HOSTS File

Posted by ryuzaki0 on from the they-know-what's-best dept.

whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."

33 of 459 comments (clear)

  1. So what? by nametaken · · Score: 4, Insightful

    People should know by now, when you go MS, you don't buy the horse, you buy the farm. You wanna segment and pick and choose on the MS platform? Good luck.

  2. Permissions? by tomstdenis · · Score: 4, Insightful

    tom@localhost ~ $ ls -l /etc/hosts
    -rw-r--r-- 1 root root 519 Oct 19 12:13 /etc/hosts

    ....

    Why can't windows just make the host files read only.

    --
    Someday, I'll have a real sig.
    1. Re:Permissions? by tomstdenis · · Score: 4, Insightful

      Yes, but the motivation to ignore the hosts file is because of viruses that could overwrite it.

      So ... if a user level virus couldn't write to the host file ...

      Think about it.

      Tom

      --
      Someday, I'll have a real sig.
    2. Re:Permissions? by v1 · · Score: 4, Insightful

      Windows security is as effective as a screen door on a submarine.

      It'd take the malware makers about an hour to find any of the what, probably 80 holes that would let them go around such windows security. A back-and-forth battle like that could easily go on for months if not years. In unix, security and permissions are the foundation, on top of which everything is built. In windows, security is a hack that was added on later with no due consideration during the initial design phase of windows. It's no wonder it's next to impossible to get it to work the way you want it to.

      When you are designing security, the sad truth of it is, the user is the enemy. There's no nicer way to look at it. So it takes a great deal of care to design a security system that can withstand the assult of a user while at the same time being functional and serving the user. It's too late for windows to make those design considerations. They have errored on the side of functionality and sacrificed the security of the system. There is no fixing that.

      --
      I work for the Department of Redundancy Department.
    3. Re:Permissions? by Teancum · · Score: 2, Insightful

      Of course this is also following the assumption that the administrator of the systems you are talking about are also not the users who are on the computer systems.

      The whole admin/user philosophy is based on the religion called the "High Priesthood of the Computer Temple", where you have to make special requests to a special unique class of individuals who control computer resources.

      As for PC operating systems, in particular Microsoft OS platforms, they were designed for independent system operations where the primary user was considered not only the "user" but also the "administrator". While in practice that may seem silly in a corporate environment (leading to fights between the ancient priests and the jonny come lately PC users), it is a fact of life.

      I understand where you are coming from in this post, but it really is the result of the clash of two cultures, and Microsoft pretending that it is supporting one culture when its roots are firmly established in the other. And why security flaws like this abound.

    4. Re:Permissions? by secolactico · · Score: 4, Insightful

      So ... if a user level virus couldn't write to the host file ...

      Which leads us back to the primordial Windows security problem: users running with admin priviledges.

      In the example you provided in the previous post, /etc/hosts is writable only by root. If user runs as root all the time, then it's back to square one.

      As far as I know Windows host file is only writable by Administrator level (dunno, I don't have a Windows machine with me right now). Is it otherwise?

      --
      No sig
    5. Re:Permissions? by saleenS281 · · Score: 5, Insightful

      funny, I see write access by root there. And last I checked, when malware *owns* windows, it's local root, which means the permissions you speak of would amount to absolutely nothing... And btw, you can make it read only to normal users, but again, this would accomplish nothing.

    6. Re:Permissions? by Omaze · · Score: 2, Insightful

      > The problem is everyone runs Windows as an Administrator, not a user.

      Only because people always need admin priveleges at the most inopportune times. Sure, you only need to be Admin for 2 seconds, but if you're doing anything technical with the system, you need them every 5-10 minutes. In these situations Run As is at best, cumbersome, and in many cases outright incapable.

      If Windows wanted to be truly innovative there would be a way to supply an Admin password, temporarily upgrade privs to Admin, and then have a button available to immediately downgrade.

      I'd like the IP on that idea since it'll be central to making a GUI OS both secure and functional.

      --
      The government itself is not stealing your liberties. Their new programs are enabling criminals who will.
    7. Re:Permissions? by Alioth · · Score: 2, Insightful

      In the single user, single tasking non-networked PC world of the 1980s, the idea of the user always being the administrator was fine and not harmless. However, you can't take this model into the networked multi-user world and expect it to work. If Microsoft expects its software to work in the networked world, they must drop their single user single tasking philosophy.

      --
      Oolite: Elite-like game. For Mac, Linux and Windows
  3. It's a Big Deal because... by TubeSteak · · Score: 5, Insightful
    As mentioned in TFA's thread:
    2) As far as I know, their malicious software removal tool didn't exist back when this behavior was created, so what good was keeping access to Microsoft open going to do an infected system? What good does it do to install a patch for a vulnerability that's already been exploited onto the computer of the archetypal "home user"?
    MS hardcoded this in with WinXP SP2 & Win2k3 SP1.

    Why? Maybe someone will get a comment from MS.

    The point is that mucking around with the inner workings of the OS is BAD, unless it is documented appropriately. Now, documentation doesn't make it good, but if they're departing from the expected behavior, they should let people know.
    --
    [Fuck Beta]
    o0t!
    1. Re:It's a Big Deal because... by slashname3 · · Score: 2, Insightful

      The point is that mucking around with the inner workings of the OS is BAD

      Stated like you control and/or own the OS running on your machine. This is just another example showing how Microsoft feels they should be the ones to control your system. There are many examples of this. Patches for applications that change things in the core operating system are common. Why a patch for office should change things in the OS never made any sense. But then Micrsoft knows best.

  4. Potentially unfair... by Maul · · Score: 5, Insightful

    The main problem is not that you can't block MS addresses, it is that MS is only preventing their addresses from being blocked. Since they are now getting into the security business, this gives them what could be seen as an unfair advantage.

    Let us say that Joe User gets a piece of Malware, so he decides to visit a security company to find a solution to his problem. However, the malware has modified his hosts file to block security company web pages from being accessed, which is extremely typical. Joe User is not experienced enough to even know there is a hosts file that he could change back.

    Joe User's first attempt would likely be to norton.com, symantec.com (both go to Symantec's main page), or mcafee.com, since these names are pretty much synonymous with antivirus software. However, all of those are blocked and he can't access them.

    However, if he goes to microsoft.com, he can go there since the hosts file is subverted in the OS. Since he can't spend the time to figure out why he can't access the others, he purchases Microsoft's AV solution.

    --

    "You spoony bard!" -Tellah

    1. Re:Potentially unfair... by harlows_monkeys · · Score: 2, Insightful
      Let us say that Joe User gets a piece of Malware, so he decides to visit a security company to find a solution to his problem. However, the malware has modified his hosts file to block security company web pages from being accessed, which is extremely typical. Joe User is not experienced enough to even know there is a hosts file that he could change back

      This is why antivirus/antispyware software should check for updates by IP address. If it can't find the update servers, only then should it do a DNS lookup, and then it should do it with its own built-in resolver, that starts at the root servers and works its way down.

  5. Yet Another Band-Aid? by displaced80 · · Score: 4, Insightful

    Hmm. This seems a bit ass-backwards to me.

    Rather than having to ignore the HOSTS file because it may be malicious, shouldn't the solution be to prevent HOSTS from getting mangled in the first place?

    (oh, and on an unrelated note: why on earth is the Win32 HOSTS file buried away under C:\Windows\System32\Drivers\etc\? I mean.... 'drivers'?!!? Bizarre.

    --
    What's the frequency, Kenneth?
  6. MSN by Joe+U · · Score: 2, Insightful

    The only thing that troubles me is the inclusion of MSN.com in the list.

    The other hosts are used in Microsoft's patch distribution network and honestly is not something the average user would ever need to block. It is, however, something a virus/spyware program would love to block. So, if you want to block those hosts, buy a firewall, they're down to about $20.

    As for MSN, my only guess is that they don't want to block updates for MSN messenger.

    What we have to remember is that these sites are required to fix a broken system, so I don't view this as just an advantage for MS antispyware.

  7. Smart move from M$ by Fantasio · · Score: 3, Insightful
    How long before somebody poisons these adresses in the DNS servers ?

    An automatic update of WMP and your PC gets owned, and nothing can be done to prevent it!

    1. Re:Smart move from M$ by gclef · · Score: 2, Insightful

      Patches from MS are cryptographically signed. You need to do more than just poison teh DNS for these hosts. You need to either steal MS' private signing key or break RSA.

      Let me know if you manage the second one.

  8. Would be ok... by thefogger · · Score: 3, Insightful

    ...if Microsoft had documented this behavior. Yet still, I fail to see what the big deal is. So you can't force an IP address to a domain with hosts.txt for some sites that microsoft controls. If you need to do that, for example for some corporate filter or updating solution, you could just modify your own dns server. Home users on the other hand get more reliable access to windows update, which is very important. Otherwise it would be trivial for malware to block the computer from recieving updates, and the automatic updates would silently fail.

    Cheers, Fogger

    --


    Um... I didn't do it!
  9. Sensationalism by Anonymous Coward · · Score: 3, Insightful

    Who cares?

    Nothing prevents you from not using the operating system's resolver. Its trivial to implement your OWN DNS client in your programs, bypassing any HOSTS settings and other DNS resolver issues.

    I've never seen so many people who were so clueless and misinformed about the technical issues involved here.

  10. Monopolies by Tony · · Score: 5, Insightful

    A court of law has determined that Microsoft is a monopoly. One of the anti-trust regulations specifies that you cannot use your monopoly power to force your way into another market; that was the heart of the conviction against Microsoft in the Netscape case. Microsoft used their monopoly to oust Netscape as the dominant browser by bundling, which is illegal.

    Now they are using that same monopoly power to take over the anti-malware market.

    I'm rather ambivilent about this. On one hand, it is just one more case of Microsoft waiting for a market to mature, then forcing their way into it. On the other hand, this market wouldn't exist if it wasn't for their own shoddy products, so it's really Microsoft's reponsibility to fix it. However, malware protection software isn't the correct answer, it's just the most expedient, with a potential for additional profit.

    All-in-all, it's just Microsoft's usual game: own the system, rig the system, use that to take over another system. Keep secrets, and act all coy when your secrets are discovered.

    --
    Microsoft is to software what Budweiser is to beer.
    1. Re:Monopolies by toddestan · · Score: 3, Insightful

      How did Microsoft financially benefit from Internet Explorer's dominance? IE is and always has been a free product. More relevant to this topic

      Back in the day, Netscape was developing web applications. This was kind of scary for Microsoft, as this shifted the focus away from the operating system and to the browser. Back then, Netscape ran on almost everything (Windows, Mac, Linux, BSD, OS/2, etc), and if in the future the user did all their work under web applicatons, then suddenly the underlying OS would become less important. Why spring for a Windows license to run Netscape when you could download Linux for free?

      So Microsoft's response was Internet Explorer. At first it seemed that Microsoft was going with the Netscape route of supporting multiple platforms, but they quickly killed off everything but IE for Windows (Except for the Mac version, which lingered on quite a bit longer before finally getting axed). From there they made their browser not quite standards compliant (but close enough to get people to switch to it), and created ActiveX. They then integrated all of this into Windows and their respective server software. This made it easy for people to create Web applications and content that only worked properly under Internet Explorer for Windows, and many of these ended up being made - particularly for company intranets. At first, this seemed great for companies that basically ran Windows everywhere, but it also locked them into Microsoft's software. This is likely one of the reasons why Windows is still so dominant on the desktop, and is also one of the main reasons why in the bizarro-land of slashdot circa April, 2006, Mac users are so excited about running Windows on their Apple machines.

      Of course, the threat of Web applications is coming around again, with open standards like XML threating to make your choice of OS less revelevent, and even your choice of browser unimportant (so long as it supports the open standards). I'm not sure what Microsoft has in store for this round (if anything), as IE7 seems to be too little, too late - and the popularity of Linux and OSX growing.

      So in conclusion, Internet Explorer wasn't so much about crushing Netscape Navigator, as it was about crushing Web applications that could run everywhere.

  11. The problems with this by bobbutts · · Score: 2, Insightful

    The real problem with this is that: 1. It wasn't documented, so people had to discover this non-intuitive exception. 2. It defeats the purpose of the hosts file. Had they also included the other AV vendors in the list and made the function public it may have seemed like a practical band aid to the hosts file hijacking problem. Instead they made it M$ only and hid it so it looks slimy. The issue is being addressed is also PEBKAC related.. If Windows users weren't logged in as admin the hosts file would be off limits.

  12. Re:Is this necessarily a bad thing? by quarkscat · · Score: 5, Insightful

    Absolutely, yes, it is a bad thing.

    Microsoft has:
            instituted not only License 6, but also "phone home" validation. At any time, MS may
            decide to shut down any business worldwide that uses their products, at their (or a
            malviolent government's) discretion;

            embraced and extended(tm) LDAP with kerberos authentication that is not industry-
            standard or cross-platform compatible;

            embraced and extended(tm) web browser standards that have made Internet and
            platform security a nightmare;

            implimented a software firewall (XP SP2) that doesn't actually control/restrict all
            incoming and outgoing packets, making the use of a third party (H/W?) firewall
            less redundant and more actually necessary;

            stripped nearly all OS improvements out of their upcoming flagship OS, excepting
            Digital Rights Restrictions -- which may also remotely disable or remove products
            and/or services which they choose to disallow for any reason.

    Bypassing DNS and the hosts file on the OS platform is their "camel's nose under the
    tent flap" for future modifications to the network stack, all in the name of their brand
    of "security", which is (frankly) appalling. Given Microsoft's current product direction,
    it is not outside the realm of possibility that the future average computer user's
    experience will be some cross between a WebTV and an XBox.

  13. FUD flying low again by Opportunist · · Score: 2, Insightful

    "Safeguarding" your hosts file against tampering is pointless. Yes, a few trojans toy with it. The ONLY place that's ever redirected afaik is updates.microsoft.com.

    So this is going to be celebrated as the hack against malware that keeps you from updating. Ohhhh great. Ok, next move from the malware writers is simply to keep a thread running that checks if something is coming in from the "unwanted" sites. If so, it's deleted before execution. Problem solved.

    There is no techical solution for social problems.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:FUD flying low again by Keeper · · Score: 2, Insightful

      That's the most ass-backward dumbass statement I've ever read.

      In summary: "Making a system harder to attack makes us more vulnerable to attack."

      Using that logic, I would encourage you to place your box on a direct connection to the internet, enabling telnet access via the root account, and allowing the root account to login without a password.

      After all, using a password would encourage a hacker to hack telnet which would be harder to observe. And if you didn't have telnet on they'd attack some other part of the system you didn't know about. And if you had a firewall, a hacker would have to get through that first, and you can't even check for that on your computer!

      </sarcasm>

  14. Re:Is this necessarily a bad thing? by houstonbofh · · Score: 2, Insightful

    The problem I have is that it's My PC! It is not Microsoft's (as much as they want to believe it) or Sony's or Star Forces, but Mine. I am sick to death of companies trying to protect me from ME and preventing me from using my devices as I want. Try and put a good Cisco WiFi card in the mini-pci slot of a HP, Compaq, or IBM laptop. "Unauthorized wireless network card detected. System halted..." Try using a car charger for any RAZR phone on a Verizon RAZR phone. "Unauthorized Charger." When you sell me something, IT'S MINE DAMNIT!

    Sorry, I just had to vent...

  15. Re:Hotels on Park Place by BradleyUffner · · Score: 2, Insightful

    Maby because it's not illegal?

  16. Completely irrelevant by mstefan · · Score: 1, Insightful

    It's trivial to directly perform a DNS query. Any third-party application (including malware) can do exactly the same thing Microsoft is doing, there's no "secret sauce" here that's only available to the coders in Redmond.

    --
    "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." --Albert Einstein
  17. Re:Not a useful thing for MS to do by Nasarius · · Score: 2, Insightful

    Except it's not very effective, is it? Is there anything stopping a system-level process (eg, malware) from grabbing the window handle and sending the appropriate keystrokes to dismiss the prompt? I haven't tested it myself, but I've used that technique successfully for the "unsigned driver" warnings. WFP lets you keep the unsigned driver/DLL with no further warnings if you press two buttons.

    --
    LOAD "SIG",8,1
  18. Re:Is this necessarily a bad thing? by Escogido · · Score: 2, Insightful

    In a way, it is. This is a part of the price that you pay for these things actually existing, and existing for the prices you have them. When you get sold something it's yours as sold, not as you want it to do. If you don't like it, don't buy it, it's as simple as this.

    Please realize that in order for the corporations to meet business targets, it is sometimes needed to cut off competition like that. If you had the right of getting every piece of equipment being compatible with everything else out there, then you might find yourself in a world where aforementioned pieces are delayed or don't exist at all, because selling these (and funding R&D in the first place) wouldn't be financially viable.

    So this is a trade-off of sorts: you get a worse-compatibility item for better prices and better availiability. How much would that RAZR cost if you could use any charger you like? And would Verizon even bother?

    Now, I'm not defending Microsoft in this particular case, since your post didn't either. I'm just trying to be fair to evil corps (gasp!). After all, there is still free market and if there is enough of likes of you who have a desire of "mine damnits", then there is demand and someone will surely fill the supply.

    And if not... well then I guess there's a lot that I'd like myself to use, too, but does not exist/costs too much as well.

  19. Re:Is this necessarily a bad thing? by Paradise+Pete · · Score: 2, Insightful
    I didn't even know about the hosts file until 5 minutes ago so would it have effected[sic] me? No.

    I think he must have had you in mind when the Sony exec said "Most people I think don't even know what a rootkit is, so why should they care about it?"

  20. Re:Well by TCM · · Score: 2, Insightful

    Upon further thinking, this whole article is flawed and perverted.

    "Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file."

    I already said why that's stupid anyway.

    "All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware."

    Well, malware authors are just going to replace the resolver function instead of aiming for the easier target. If they can replace entries in the hosts file, they have sufficient privileges anyway.

    "However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."

    That's really far-fetched. Let me see: Most users use their Windows as root-equivalent because of sucky software and because they don't know any better. Spyware can replace the hosts file to block access to Microsoft's auto-update because users are root. So instead of fixing the fundamental problem, Microsoft does what it does best: kludges, bandaids, bullshit. And now suddenly this is viewed as a "competitive advantage"?! Remember people: don't attribute to malice what can be explained with stupidity.

    To me this is only proof again that anything related to Windows is a swamp of bad design, ugly hacks and inconsistencies. I wouldn't construct an evil intent on Microsoft's side here. It's just their usual incompetence.

    --
    Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
  21. Try looking at it in reverse. by jd · · Score: 2, Insightful

    What it means is that if a rootkit alters the internal IP tables for a Microsoft address, most virus checkers won't pick up on it (the Hosts file will be untouched) and it will be impossible for the user to override the problem in order to get to Microsoft's website to download the necessary patches.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)