[isalist] Re: FW: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 24 Apr 2006 09:33:53 -0700
http://www.ISAserver.org
-------------------------------------------------------
Drives me crazy.
t
On 4/24/06 9:28 AM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to all:
> http://www.ISAserver.org
> -------------------------------------------------------
>
> :)....not just the SBS list then that's full of ...............
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Monday, April 24, 2006 1:25 PM
> To: ISA Mailing List
> Subject: [isalist] FW: [Full-disclosure] Microsoft DNS resolver:
> deliberately sabotagedhosts-file lookup
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
>
> I just couldn't wait for BT to post this. Coming soon, the HOSTS
> GUI!!!!
> Jeeze....
>
> t
>
>
> ------ Forwarded Message
> From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> Date: Mon, 24 Apr 2006 09:15:50 -0700
> To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
> Conversation: [Full-disclosure] Microsoft DNS resolver: deliberately
> sabotagedhosts-file lookup
> Subject: Re: [Full-disclosure] Microsoft DNS resolver: deliberately
> sabotagedhosts-file lookup
>
>
> Response in-line: and the last one unless someone can post something
> intelligent on the matter...
>
>
> On 4/20/06 5:18 AM, "Geo." <geoincidents@xxxxxxx> spoketh to all:
>
>>> MSN and MSDN. It is to keep hosts file entries from taking users to
>>> phishing sites where they may enter credentials that could be stolen.
>>
>> So you agree with me, that it's more for passport functionality than
>> to allow trojaned users to get to windows update.
>
> Um, no, I don't agree with you in the least. It's not "more for
> passport functionality." Passport does not need to by-pass host entries
> to function.
> We've already gone over what the behavior is for, but that doesn't seem
> to matter to you.
>
>>> It's not Microsoft's job to protect Symantec customers.
>>
>> No it's not, it's Microsoft's job to protect windows users, millions
>> of who use NortonAV. But it would seem that MS is more interested in
>> protecting their user tracking information than the users.
>
> Oh, I see now. It's about tracking users now, is it? So you're saying
> that the exception list in dnsapi.dll is not only there for some
> super-secret Passport "functionality" but now Microsoft is using it to
> protect "their user tracking information?" Brilliant. I suppose that
> the next argument will be that dnsapi.dll contains the secret as to
> where that one sock goes after it's lost in the dryer, right? Hey!
> Maybe that's what winsock really is!!
>
>>> Because "hosts" is a simple text file that is designed to be edited
>>> and maintained by the administrator of the machine.
>>
>> It would be trivial to create a hosts editing GUI interface that could
>
>> manage a protected hosts file. Does anyone but me long for the days of
>
>> the NT team where they wouldn't do something if they couldn't do it
>> right? I mean what's next, they going to modify firewall settings if
>> the user has locked out features that are required for windowsupdate
> or passport to work?
>
> Trivial, huh? Get right on that, then. If it's trivial, then write it
> up and post it. Of course, malware would only have to use the same hook
> that the GUI does. But you might have something here. Let's see,
> rather than a simple exception list, you'd rather have a "protected"
> hosts file that requires a special GUI for administrators to use to
> manage host entries and that would require additional API's for DNS to
> access it as well as other 3rd party functions, huh? Administrators
> would have read/write, but users would only be able to read it, right?
> Yep, all you have to do is whip up a nifty GUI that performs the proper
> token permission checking as well as file-level permissions. Utterly
> ridiculous, and it still does nothing to prevent malware abuse.
>
>
>>> This is really simple. MyDoom altered the hosts file so people
>>> couldn't hit go.microsoft.com, so they added an exception list for
> their sites.
>>
>> The right way to fix it would have been to ask the user before
>> bypassing hosts since by your own statements hosts is a file for the
>> administrator to manage. Perhaps the admin put MS sites in hosts files
>
>> to keep his users from updating components on their own?
>>
>>> The reason it wasn't documented was so that malware authors wouldn't
>
>>> know to bypass it, but now some do. Oh well, worked for a while.
>>
>> Oh please lets not justify sneaky stuff that affects a users security
>> settings by saying it had to be done sneaky so the hackers wouldn't
>> know, the hackers figure this stuff out in seconds. Just mark this as
>> a stupid idea and add a popup before it bypasses values in the hosts
>> file so the user is allowed to permit or deny it. Had they done that I
>
>> would have defended their actions, it's when they mess with a users
>> security without asking that I find it inappropriate behavior for a
> company like MS.
>
> Let me get this straight: After creating the magic GUI for hosts
> management, Microsoft is to prompt the user with a pop-up that says
> "Attention Stupid Administrator: We are about to bypass the hosts file
> entry for MSDN so that we can track your user information, ensure that
> Passport functionality is maintained, as so that we can search for that
> sock you lost in the dryer last week. Are you sure that you don't want
> us to not do that? Please click YES, NO, or MAYBE."
>
> That would make it less stupid?
>
> t
>
> ------ End of Forwarded Message
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
