| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Apr 2006 02:13:21 +0200 From: Joachim Schipper <j.schipper@...h.uu.nl> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup On Thu, Apr 13, 2006 at 06:29:15PM +0100, Dave Korn wrote: > > Hey, guess what I just found out: Microsoft have deliberately sabotaged > their DNS client's hosts table lookup functionality. > (...) I'd try to block (Windows Media Player) it in my hosts file. > Microsoft DNS client special-cases 'go.microsoft.com' and refuses to look > it up in the hosts file. > I'm running fully up-to-date Windows XP SP2. I don't have any pfw > software that could conceivably be interfering, and the windows firewall is > running with more-or-less the default settings (I've only added a couple of > exceptions, no other changes). I don't think this is a false positive. > > On reading through %WINDIR%\system32\dnsapi.dll with 'strings', I find the > following hostnames listed. I assume they are all also singled out for > special treatment:- > > www.msdn.com > msdn.com > www.msn.com > msn.com > go.microsoft.com > msdn.microsoft.com > office.microsoft.com > microsoftupdate.microsoft.com > wustats.microsoft.com > support.microsoft.com > www.microsoft.com > microsoft.com > update.microsoft.com > download.microsoft.com > microsoftupdate.com > windowsupdate.com > windowsupdate.microsoft.com > > [ I've verified that the same behaviour occurs for office.microsoft.com, > exactly as for go.microsoft.com, but haven't tried any of the others yet. > I'd bet real money on it, though. ] What's your point? It's not like it's the first piece of software ever to bypass the hosts file, is it? And if you're a software giant, that's easy to do at a lower level. Blacklisting IP addresses by /etc/hosts or equivalent is an extremely broken way of blocking, anyway; and vague hacks like that need not be supported. Use a real, non-host-based firewall. Of course, you might wish to stop certain software from phoning home. Fine, but use something that works - MS is evil in many ways, but not because this particular hack happens not to work. Switching to OSS quite nicely solves all these problems, though. Joachim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists