Slashdot Mirror
Microsoft Loses Control Over Windows Tiles Subdomain (zdnet.com)
Microsoft has lost control over a crucial subdomain that Windows 8 and Windows 10 use to deliver RSS-based news and updates to Live Tiles -- animated Windows start menu items. From a report: The subdomain (notifications.buildmypinnedsite.com) is currently under the control of Hanno Bock, a security researcher and journalist for German tech news site Golem.de. The subdomain was part of the buildmypinnedsite.com service that Microsoft set up with the launch of Windows 8, and more specifically to allow websites to show live updates inside users' Start pages and menus.
[...] Today Bock said the service no longer works. "The host that should deliver the XML files -- notifications.buildmypinnedsite.com -- only showed an error message from Microsoft's cloud service Azure," the researcher said. "The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure." Bock registered this subdomain on his Azure account and is currently sinkholing any requests it receives. He also notified Microsoft of the issue but said the company did not reply. "We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs," the researcher said. "Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks," he warned.
[...] Today Bock said the service no longer works. "The host that should deliver the XML files -- notifications.buildmypinnedsite.com -- only showed an error message from Microsoft's cloud service Azure," the researcher said. "The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure." Bock registered this subdomain on his Azure account and is currently sinkholing any requests it receives. He also notified Microsoft of the issue but said the company did not reply. "We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs," the researcher said. "Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks," he warned.
I love seeing ads every time I click the Start menu!
to the 8 people who use windows live tiles. Once that researcher has control of Suzy Pottingblock of West Virginia's Mid 2000s Pentium 4 based computer and her recipe for egg salad (to say nothing of her extensive collection of crotchet stitches) he will dominate the world's pot lucks. And as we all know that's the first step to world conquest. Alexander the Great taught us that much.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Look at the incompetence of a business that has to convince people to give it resources.
How much dumber and more dangerous would a government then be, given that a government just decrees its income regardless of performance? (Indeed, the worse a government performs, the more income it demands!)
Our best people do not aspire to be in government, to boot. Always keep this in mind when you read stories like this.
The German police will be arresting him soon. He had the audacity to screw with a major corporation. His days are numbered.
Why is he redirecting traffic to an actual server that costs him money?
Why not just change the DNS listing to 127.0.0.1?
Microsoft operates buildmypinnedsite.com, so what would be so hard about them just reclaiming it, especially now that this is in the news?
I am failing to understand how a bad actor could steal a subdomain? Wouldn't the bad actor have to first steal the TLD?
I doubt the average user would be able to figure out how to remove the start menu tiles. Even with removal, you cannot fully disable them.
This will become a security breach magnitudes beyond Active X.
Microsoft has not lost control over the domain. It's still Microsoft's domain. It points to an Azure domain where they operated the service, and that's gone, so someone else was able to get their server up and running at the address that the domain points to. Microsoft can and should change the domain to point to nowhere or to one of their own servers.
No need to do anything with the DNS.
You can create an Azure or Amazon bucket with any name you want, such as frog.denver, hfjskfhd.fjshdjd.hdhdjhs, or secure.microsoft.com. These are NOT DNS names. They're just arbitrary strings.
In the DNS, Microsoft has the DNS name pointed to Azure.
Azure then has that name pointed to a bucket which just happens to have the same name. It could have any name. If Microsoft deletes the bucket (or other resource), anyone else can create one that happens to have the same name.
by Hanno Böck: https://www.golem.de/news/subd...
Good lord, why the fuck would I want that?
This sounds like yet another incarnation of the Windows Gadgets or Live Desktop which in every single case Microsoft has had to deprecate due to the gaping security holes it created.
Now they have allowed a domain to lapse which is built into the OS and which allows content to be pushed ... what could possible go wrong with that?
Live content in the start menu is a fucking dumb idea, and it seems like it's about the 4th or 5th time Microsoft has trotted out this particular dumb idea.
Or a Goatse tile. I think Microsoft would take security seriously if there was a rash of Goatse on people's start menus.
Why do companies insist on directing their traffic all over the internet? Microsoft is in control of www.microsoft.com. Why is there any reason for any service not to be the result of a wholly in control of the company sub-domain of this website?
This isn't the first time a major organisation has registered an absolutely stupid sounding domain with no direct link to any of their products (read: IP that would offer them some protection from domain theft) only to let it lapse and go to someone else. Hell it's not even the first time Microsoft has done it.
Nobody wants their tiles to be animated, nor controlled by commercial interests. Constantly changing the look of an icon defeats the purpose of even having one.
It appears Slashdot has deleted APK's thread about vulnerabilities affecting some ad blocking browser extensions. While it's a bit off-topic and he did make a bogus allegation that whipslash doesn't want to be embarrassed about hosts, there was no good reason to delete the thread.
I despise APK and, in fact, he's been demanding my name and address so he can fracture my skull. Yes, he made that specific threat. Despite him being a complete asshole and nutjob, his comments in this story didn't deserve to be deleted. They weren't threatening anyone, nor were they even that disruptive.
No, the comments weren't moderated. They were deleted. There was a thread and other users had started commenting in the thread before an editor deleted it. Slashdot has been deleting comments routinely over the past several months.
CmdrTaco was apologetic when he had to delete a scientology comment because of a DMCA takedown request. He believed in the principle of free speech, which is why that comment was one of the few times he ever deleted a comment. The other times were when comments exploited vulnerabilities in Slashdot's code to break the rendering of the site. Comment deletion was rare because CmdrTaco believed in free speech and that moderation was sufficient. Those principles are lost on the current ownership.
I don't believe that whipslash is directly responsible for deleting comments. He rarely posts stories and doesn't seem to care about this site. He's a bean counter who hasn't kept his promises to improve Slashdot. This is probably one or more of the other editors deleting comments.
And no, this isn't some noble effort to rid the comment section of spam. They don't seem to delete the antisemitic diatribes or swastika ASCII art that shows up routinely. They don't delete the posts that regularly harass SuperKendall, raymorris, and ShanghaiBill. Comment deletion is very arbitrary and there seems to be no standard for why comments get deleted. Most of the truly offensive posts, like the antisemitic manifestos, almost never get deleted. Even when I flag those posts, it's very rare that anything happens. It's entirely possible that the option to report posts is a placebo and does nothing at all, especially because the management won't release the source that currently runs this site so we can see what reporting posts does.
Instead of deleting posts for no apparent reason, the editors could moderate them to -1. The editors have unlimited mod points. Better yet, they could fix the problems with this site, including many bugs that have been around for months or years. They could focus on posting better stories. But apparently it's more important to pretend to police the comments a la TSA's security theatre. Comment quality isn't improving and Slashdot continues to be a complete joke.
Microsoft is such a bad joke...
And so is literally every one of their products.
Windows being the most horrible piece of shit and spyware.
Now this guy? This guy gets it.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
You don't seem to understand. He actually saved them, and the world. If he hadn't grabbed this, criminals would have and redirected it to serve up viruses to anyone using live tiles, which is.... almost everyone using a modern Windows right now. In addition, he contacted them to let them know about the issue and offered it back to them. But, they ignored his request. It is becoming expensive for him to continue hosting the service because of the vast number of incoming connections. He is warning the world he is about to release control back into the wild at which point anyone could do exactly what he has done. This should now get Microsoft's attention because of the publicity and they'll be able to step in and prevent any issues. The absolute incorrect action is to arrest the guy who stood in front of the loaded gun and took a bullet for you. This isn't the bad guy.
Looks like they fixed it
$ host notifications.buildmypinnedsite.com
Host notifications.buildmypinnedsite.com not found: 3(NXDOMAIN)
hello.jpg on a million desktops
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
It's only a security kerfuffle because Microsoft got lucky that Hanno Bock didn't use the power Microsoft handed him. From what I can tell, Microsoft's default start menu is populated with pictures and links to news stories (typical corporate news rubbish). Microsoft made an extremely poor decision to set up the default start menu the way they did, drawing anything from an Internet-based source without explicit user approval and consent. Then Microsoft lost control of the domain feeding that info (not the first time Microsoft has lost control over something that caused them to try and cover with public relations; I recall another domain they lost control over and, more recently, a chatbot they allowed to be programmed by public user input).
Bock could have silently fed content to users with other messages making it look like Microsoft suddenly favored causes they actually don't, like being anti-war or pro-software freedom. Or Bock could have located an exploit for the code that populates and draws those rectangles in the start menu and fed (what Microsoft often calls) "specially constructed" input designed to take advantage of those bugs and perhaps run code on the system. Some other user who came into the power Bock did might have made different choices which more clearly and publicly exposed Microsoft's thoroughly shitty design and the consequences of software non-freedom (where only Microsoft can fix the software that may still be vulnerable on millions of Windows 10 systems).
Digital Citizen