Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| Microsoft DNS resolver sabotaged hosts-file lookup?
It seems that we're going to see a somewhat heated discussion on the Internet about Microsoft deliberately sabotaging their DNS client's hosts table lookup functionality so people can't override the DNS lookup using their Hosts files. This means that even if you pointed the update server to your localhost, you'd still go to the site and the update will happen regardless of your wishes.
This affects updates such as Media player for example where you have no choice within the software itself to stop the update because your only choices are updating once per day/week/month, but not "Don't check at all".
The article can be found here:
»permalink.gmane.org/gmane.comp.s···re/43878
This is going to turn into a heated discussion as people are questioning the lack of disclosure by Microsoft to say the least.
This is also important because if Microsoft can do that, so can the big companies serving people ads and spyware and the Hosts file may not provide the kind of protection people think it does.
--
You can catch the Devil, but you can't hold him long. |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI | Did I spell "arrogance" correctly? |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to Wildcatboy
Unless I read it wrong it won't be an issue for users who disable the dns client which I and just about every other hosts file vendor recommends. Microsoft is clearly in the wrong for not disclosing this however.
said by Wildcatboy  :This is also important because if Microsoft can do that, so can the big companies serving people ads and spyware and the Hosts file may not provide the kind of protection people think it does. Depends on what you have in mind with regard to big companies subverting DNS. It has always been my stance that users should not waste their time trying to protect their hosts files which are replaceable but to concentrate instead upon securing their OS against intrusion. Apart from infection, there has always been the risk of companies making the hosts file useless by using their an IP address rather than their domain names in their URLs but only an insignificant number of outfits have opted to do that. The reason is simple - IP addresses are subject to change whereas domain names are much less likely to change over a long period of time.
--
Get hpHOSTS! Member ASAP
hpHOSTS Online
Paranoia is no substitute for understanding. |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12 | reply to Wildcatboy
I spoke too soon. The DNS Client service isn't involved.  |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to Wildcatboy
I see all the same strings in the dnsapi.dll file, namely:
www.msdn.com
msdn.com
www.msn.com
msn.com
go.microsoft.com
msdn.microsoft.com
office.microsoft.com
microsoftupdate.microsoft.com
wustats.microsoft.com
support.microsoft.com
www.microsoft.com
microsoft.com
update.microsoft.com
download.microsoft.com
microsoftupdate.com
windowsupdate.com
windowsupdate.microsoft.com
I am wondering if this is part of their defense in depth initiative since all of these are required for OS and software support. There are numerous other domains they could have added but didn't such as their ad, cookie and tracking servers.
--
Get hpHOSTS! Member ASAP
hpHOSTS Online
Paranoia is no substitute for understanding. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Wildcatboy
One of the biggest fears that a software developer has is what happens if something happens such that my clients can not reach me when they really need to. Same applies for online updates. All Microsoft is doing here is taking one step towards ensuring that you can get to them when needed. These are all client support orientated URLs so I have no problem with this.
Perhaps the real problem here is why is Media Player so insistent on checking for updates (is this really a bad thing). Why not perhaps offer a way to turn off auto-updates (but then of course you accept all responsibilities thereafter). To me the real question is, how do you handle update notifications, auto-updates, etc and at what level of user impact?
Blake
--
Your government sucks, my government sucks, therefore all governments suck, but until someone comes up with a better idea, the suckage shall continue. |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
 ·Clearwire Wireless
1 edit | said by Link Logger : These are all client support orientated URLs so I have no problem with this. Is this the extent of it or the beginning of it? |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB | For the moment I'd have to say that is the extent of it as I have not seen or heard anything to indicate otherwise.
Blake |
|
jig
join:2001-01-05
Hacienda Heights, CA
| reply to Wildcatboy
interesting. tonight i just noticed that ms has changed updates (the general one) for win2k so that to download and install you have to have the automatic updates service as running AND set to run automatically at boot. manual and running isn't good enough.
and i think we found out earlier that even with the "don't use automatic updates" box checked in the settings for automatic updates (and the service running), MS was able to push a specific update anyway a little while back. i forget if this was proved or just rumor...
this feels like a run towards drm for OS and anything tied into a drm service run by MS.
copper-foil hat firmly in place...
--
A man compounded of law and gospel is able to cheat a whole country with his religion and then destroy them under color of law. -Ben Franklin |
|
confused
Super Member
join:2005-03-28
| reply to Wildcatboy
Thanks for a very interesting link.
I entered www.microsoft.com into my HOST, rebooted just to be sure, and typed www.microsoft.com into my browser. I didn't go to 127.0.0.1 for sure. I was a bit surprised as I at first glance thought this to be a mediaplayer issue.
BTW, dns client is disabled here.
--
The information is provided AS IS without reponsibility for anything, including, but not limited to, the contents, typos, errors..... |
|
Khaine
join:2003-03-03
Australia | reply to Wildcatboy
Perhaps this is just a response to malware redirecting people away from windows update, preventing them from removing the crap on their pc's?
Before we go off half cocked, it would be nice to hear an official explanation from microsoft. |
|
jap
Premium
join:2003-08-10
038xx
·RoadRunner Cable
1 edit | reply to Link Logger
said by Link Logger :...why is Media Player so insistent on checking for updates (is this really a bad thing) Well it would be bad if it acted upon pre-WMP7, trying to update "classic", but it doesn't. I just imaged a win2k testbox back to 2006.03.16 and hit the update site with only mplayer2.exe 6.4.9.1125 installed and WU left it alone. |
|
norwegian
Premium
join:2005-02-15
Outback
 ·WestNet Broadband
| reply to Khaine
said by Khaine :Perhaps this is just a response to malware redirecting people away from windows update, preventing them from removing the crap on their pc's? Before we go off half cocked, it would be nice to hear an official explanation from microsoft. Since when has Microsoft spent the time to even bother commenting here. If it wasn't for Aaron Hulett remembering his roots, you would have no one even bothering with the time of day from Microsoft |
|
tkdslr
join:2004-04-24
Pompano Beach, FL
·Speakeasy
| reply to Wildcatboy
said by Wildcatboy :It seems that we're going to see a somewhat heated discussion on the Internet about Microsoft deliberately sabotaging their DNS client's hosts table lookup functionality so people can't override the DNS lookup using their Hosts files. This means that even if you pointed the update server to your localhost, you'd still go to the site and the update will happen regardless of your wishes. This is going to turn into a heated discussion as people are questioning the lack of disclosure by Microsoft to say the least. You have to shut down and disable the "DNS Client" service in order to get XP to behave like a normal OS.. (9x, NT, unix, linux, BSD(apple), etc..)
It's been mentioned before... Just not by microsoft..
I suspect it's just a matter of time before some enterprising hacker uses it to fake a windows update website and cause some real damage. |
|
Khaine
join:2003-03-03
Australia
| reply to norwegian
said by norwegian :said by Khaine :Perhaps this is just a response to malware redirecting people away from windows update, preventing them from removing the crap on their pc's? Before we go off half cocked, it would be nice to hear an official explanation from microsoft. Since when has Microsoft spent the time to even bother commenting here. If it wasn't for Aaron Hulett remembering his roots, you would have no one even bothering with the time of day from Microsoft You forget all the microsofties who post the monthly security bulletins. And this site probably has the largest collections of MSVP's who I'm sure could elicit a response |
|
DprssdIsntFn
Premium
join:2004-01-12
Pompton Lakes, NJ
| reply to Wildcatboy
There are several issues here of which privacy is just one among them.
Medical service providers are required to use secure PCs / workstations which contain patient data. By definition, phoning home for _any_ reason unknown to the PC user means said PC / workstations is insecure.
Wide dissemination of this information provides a clear example to other mainstream vendors on how to bypass user wishes in a "behind their backs" manner. Think Adobe Acrobat or Real Player as potential software for this functionality.
The same thing applies to spyware and other malware writers. Analyse the DLL in question, then write one to do what you want it to do. Too many people can be socially engineered into installing the most amazing crap and replacing DLLs.
Sure, most of the included domains appear to do with "updates". Do you actually trust MS to believe that they won't expand their definition of "updates" in the future? Do you actually trust MS today not to aggregate the phone home information? I already find the inclusion of mediaplayer updates to be questionable. The single biggest reason why I dropped MS at home and switched to Gentoo GNU/Linux was that I simply don't trust MS.
Finally, given MS's history of broken, borked, and faulty updates, nagging people relentlessly to install DRM related updates doesn't seem to me to be very good for the user. Note that mediaplayer _security_ updates are included in _windows update_!
Seriously, I adminster a PatchLink update server at work. Most people never get the chance to see a lot of updates listed at one time. I've run into several examples where MS has release patches to fix patches going back as many as 5 and 6 generations. This Patch to fix the previous Patch which fixed a different previous Patch and so on is ridiculous. |
|
Rocky67
Pencil Neck Geek
Premium
join:2005-01-13
Orange, CA
·AT&T Yahoo
| reply to Wildcatboy
One of the reasons I dumped the One Care beta was because I could't prevent it from downloading and installing updates.
Looks as though we don't have to wait for Vista to own our systems, it's already happened.
--
They have the Internet on computers now? - Homer |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
3 edits | reply to Wildcatboy
I thought everyone knew they had done this, or at least they were ok with it. I never heard a peep until the last few days at insecure.org and even most people seemed to be ok with it.
Actually, as bad as it looks, since it is their OS, it's not a bad idea. I think if they had made some formal announcement about it the only thing it would have done is caused people to try and hack the strings and modify the host file to point somewhere else which defeats the whole purpose for hard-coding it.
Personally, I am glad it is there, at least by being forced ("Assuming that the dnsapi.dll has not been hacked") you can't be re-directed via some hack while say doing auto-updates.
This was posted on inscure.org on the 13th here:
»seclists.org/lists/fulldisclosur···266.html
Personally I think the general feeling there is the one I share. The DNS server can still go anywhere it wants, it just won't allow a host file to over-ride those addresses. Now if ANY site was non Microsoft, sure, I would go ballistic. But I can see how corporate good could override personal need ("You could still run you own personal DNS server and bypass this").
I think all this does is not allow a host file hack to bypass things which Microsoft is responsible for.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
1 edit | reply to Wildcatboy
I think we're just rehashing old news(not saying it doesn't need rehashing). On another site I frequent a poster had mentioned this info yesterday and another poster pulled up sent folder messages from Sept 2004 when this same information was discussed. It would appear this started with the release of XP sp2.
Is the cuplrit C:\Windows\System32\dnsapi.dll?
"Eüýÿÿf9Hþ�"Q ÃMü_^[èg-ÿÿÉÂ� www.msdn.com msdn.com
www.msn.com
msn.com go.microsoft.com msdn.microsoft.com office.microsoft.com
microsoftupdate.microsoft.com wustats.microsoft.com
support.microsoft.com www.microsoft.com microsoft.com
update.microsoft.com download.microsoft.com
microsoftupdate.com
windowsupdate.com windowsupdate.microsoft.com ÿUìì(
¡$�ôvf¥Øþÿÿ
S]�S?Eü.À�.') .ÒVWt*j�ú¾ü'òvY3Àó
Those string entries are not there in the W2K version. Perhaps someone with SP1 XP running can check that dll.
Guess this was hot news 18 months ago but seems the security/privacy types just dropped it.
Edit: Oops after I posted the dll info I see that hpguru had already posted that tidbit. |
|
techjoe
Premium
join:2004-02-20
Schererville, IN
1 edit | File: dnsapi.dll
MD5: 7e9b35ce89adebebad5b73b708eedc7f
Size: 139264
XP SP1. Hostname strings are NOT present.
--
www.clanc.cc |
|
