http://www.ISAserver.org ------------------------------------------------------- Drives me crazy. t On 4/24/06 9:28 AM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to all: > http://www.ISAserver.org > ------------------------------------------------------- > > :)....not just the SBS list then that's full of ............... > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Thor (Hammer of God) > Sent: Monday, April 24, 2006 1:25 PM > To: ISA Mailing List > Subject: [isalist] FW: [Full-disclosure] Microsoft DNS resolver: > deliberately sabotagedhosts-file lookup > > http://www.ISAserver.org > ------------------------------------------------------- > > > I just couldn't wait for BT to post this. Coming soon, the HOSTS > GUI!!!! > Jeeze.... > > t > > > ------ Forwarded Message > From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> > Date: Mon, 24 Apr 2006 09:15:50 -0700 > To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx> > Conversation: [Full-disclosure] Microsoft DNS resolver: deliberately > sabotagedhosts-file lookup > Subject: Re: [Full-disclosure] Microsoft DNS resolver: deliberately > sabotagedhosts-file lookup > > > Response in-line: and the last one unless someone can post something > intelligent on the matter... > > > On 4/20/06 5:18 AM, "Geo." <geoincidents@xxxxxxx> spoketh to all: > >>> MSN and MSDN. It is to keep hosts file entries from taking users to >>> phishing sites where they may enter credentials that could be stolen. >> >> So you agree with me, that it's more for passport functionality than >> to allow trojaned users to get to windows update. > > Um, no, I don't agree with you in the least. It's not "more for > passport functionality." Passport does not need to by-pass host entries > to function. > We've already gone over what the behavior is for, but that doesn't seem > to matter to you. > >>> It's not Microsoft's job to protect Symantec customers. >> >> No it's not, it's Microsoft's job to protect windows users, millions >> of who use NortonAV. But it would seem that MS is more interested in >> protecting their user tracking information than the users. > > Oh, I see now. It's about tracking users now, is it? So you're saying > that the exception list in dnsapi.dll is not only there for some > super-secret Passport "functionality" but now Microsoft is using it to > protect "their user tracking information?" Brilliant. I suppose that > the next argument will be that dnsapi.dll contains the secret as to > where that one sock goes after it's lost in the dryer, right? Hey! > Maybe that's what winsock really is!! > >>> Because "hosts" is a simple text file that is designed to be edited >>> and maintained by the administrator of the machine. >> >> It would be trivial to create a hosts editing GUI interface that could > >> manage a protected hosts file. Does anyone but me long for the days of > >> the NT team where they wouldn't do something if they couldn't do it >> right? I mean what's next, they going to modify firewall settings if >> the user has locked out features that are required for windowsupdate > or passport to work? > > Trivial, huh? Get right on that, then. If it's trivial, then write it > up and post it. Of course, malware would only have to use the same hook > that the GUI does. But you might have something here. Let's see, > rather than a simple exception list, you'd rather have a "protected" > hosts file that requires a special GUI for administrators to use to > manage host entries and that would require additional API's for DNS to > access it as well as other 3rd party functions, huh? Administrators > would have read/write, but users would only be able to read it, right? > Yep, all you have to do is whip up a nifty GUI that performs the proper > token permission checking as well as file-level permissions. Utterly > ridiculous, and it still does nothing to prevent malware abuse. > > >>> This is really simple. MyDoom altered the hosts file so people >>> couldn't hit go.microsoft.com, so they added an exception list for > their sites. >> >> The right way to fix it would have been to ask the user before >> bypassing hosts since by your own statements hosts is a file for the >> administrator to manage. Perhaps the admin put MS sites in hosts files > >> to keep his users from updating components on their own? >> >>> The reason it wasn't documented was so that malware authors wouldn't > >>> know to bypass it, but now some do. Oh well, worked for a while. >> >> Oh please lets not justify sneaky stuff that affects a users security >> settings by saying it had to be done sneaky so the hackers wouldn't >> know, the hackers figure this stuff out in seconds. Just mark this as >> a stupid idea and add a popup before it bypasses values in the hosts >> file so the user is allowed to permit or deny it. Had they done that I > >> would have defended their actions, it's when they mess with a users >> security without asking that I find it inappropriate behavior for a > company like MS. > > Let me get this straight: After creating the magic GUI for hosts > management, Microsoft is to prompt the user with a pop-up that says > "Attention Stupid Administrator: We are about to bypass the hosts file > entry for MSDN so that we can track your user information, ensure that > Passport functionality is maintained, as so that we can search for that > sock you lost in the dryer last week. Are you sure that you don't want > us to not do that? Please click YES, NO, or MAYBE." > > That would make it less stupid? > > t > > ------ End of Forwarded Message > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx