Slashdot Mirror


Microsoft Bypasses HOSTS File

whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."

5 of 459 comments (clear)

  1. Not a useful thing for MS to do by mgv · · Score: 5, Interesting

    I would have thought that if you cant subvert the HOSTS file then all you have to do is to intercept any DNS lookup of these MS addresses and you would have the same effect.

    If you are trying to stop MS software from talking to home, then just use an external firewall.

    Michael

    --
    There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
  2. Is this necessarily a bad thing? by BluhDeBluh · · Score: 5, Interesting

    It helps prevent Malware. Sure, MS might have a slim advantage, but it also prevents otherwise botted PCs from accessing MS Updates against things like Blaster. I don't see this as being such a big deal.

  3. Ad blocking by aembleton · · Score: 5, Interesting

    Microsoft could also be using this to prevent users from blocking MSN messenger ad servers.

  4. Re:Yet Another Band-Aid? by moosesocks · · Score: 4, Interesting

    I've always found the /etc/ to be the funniest part of that path.

    This is one of the telltale remaints of the BSD-derived TCP/IP stack that NT/XP uses.

    Although the stack itself has been heavily modified, using /etc/ as the location for the hosts file still remains, along with other little hints -- ftp.exe is almost identical to the BSD FTP utility. BSD also gets properly credited in the XP copyright notice

    --
    -- If you try to fail and succeed, which have you done? - Uli's moose
  5. Re:I couldn't reproduce this on Win2K. by pla · · Score: 4, Interesting

    Anyone out there with XP who can reproduce this?

    Good idea, but no luck. Same result, though with one slight difference which might prove useful as a workaround - The first attempt timed out, meaning it really performs the query rather than having a hardcoded list of IP mappings. So if you ran a cacheing DNS proxy on your machine (ie, exactly what the built-in DNS service does, but one not containing a built-in Microsoft hack), pointed your machine's DNS to itself, and tell the proxy to use a bogus address for the sites in question, that should successfully block them.

    Better to do this at the firewall, though (a real external hardware firewall, not Microsoft's "trust us, this works" crap).