Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup
From: Joachim Schipper <j.schipper () math uu nl>
Date: Fri, 14 Apr 2006 02:13:21 +0200

On Thu, Apr 13, 2006 at 06:29:15PM +0100, Dave Korn wrote:

  Hey, guess what I just found out:  Microsoft have deliberately sabotaged 
their DNS client's hosts table lookup functionality.

(...) I'd try to block (Windows Media Player) it in my hosts file.

  Microsoft DNS client special-cases 'go.microsoft.com' and refuses to look 
it up in the hosts file.

  I'm running fully up-to-date Windows XP SP2.  I don't have any pfw 
software that could conceivably be interfering, and the windows firewall is 
running with more-or-less the default settings (I've only added a couple of 
exceptions, no other changes).  I don't think this is a false positive.

  On reading through %WINDIR%\system32\dnsapi.dll with 'strings', I find the 
following hostnames listed.  I assume they are all also singled out for 
special treatment:-

www.msdn.com
msdn.com
www.msn.com
msn.com
go.microsoft.com
msdn.microsoft.com
office.microsoft.com
microsoftupdate.microsoft.com
wustats.microsoft.com
support.microsoft.com
www.microsoft.com
microsoft.com
update.microsoft.com
download.microsoft.com
microsoftupdate.com
windowsupdate.com
windowsupdate.microsoft.com

[  I've verified that the same behaviour occurs for office.microsoft.com, 
exactly as for go.microsoft.com, but haven't tried any of the others yet. 
I'd bet real money on it, though.  ]

What's your point? It's not like it's the first piece of software ever
to bypass the hosts file, is it? And if you're a software giant, that's
easy to do at a lower level.

Blacklisting IP addresses by /etc/hosts or equivalent is an extremely
broken way of blocking, anyway; and vague hacks like that need not be
supported. Use a real, non-host-based firewall.

Of course, you might wish to stop certain software from phoning home.
Fine, but use something that works - MS is evil in many ways, but not
because this particular hack happens not to work.

Switching to OSS quite nicely solves all these problems, though.

                Joachim


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]