- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
April 15, 2006 | Comments: (0)
Microsoft HOSTS file bypass issue
Microsoft bypasses HOSTS file in certain circumstances
There is a lot of talk on various security mailing lists regarding Microsoft's HOSTS file bypass. It appears starting in XP Pro SP2 and W2K3 SP1, various Microsoft-related URLs cannot be bypassed by placing alternate IP addresses in the Windows hosts file. It appears to be a strategy by Microsoft to not allow malicious host file changes to stop Microsoft patch updates, plus hardcoding a few other Microsoft URLs.
The following host file exclusions were documented on the Full Disclosure and Bugtraq mailing lists:
---------------------
From: Derek Soeder
To:
Dave, great find! Those lists you dug up are named DomainScreenList and HostsScreenList in the symbols for DNSAPI; here they are for reference...
DomainScreenList:
windowsupdate.microsoft.com
windowsupdate.com
microsoftupdate.com
download.microsoft.com
update.microsoft.com
HostsScreenList:
microsoft.com
www.microsoft.com
support.microsoft.com
wustats.microsoft.com
microsoftupdate.microsoft.com
office.microsoft.com
msdn.microsoft.com
go.microsoft.com
msn.com
www.msn.com
msdn.com
www.msdn.com
-------------------
People are hot and fired up about this on both sides of the issue, with lots of the arguments on both sides being valid.
My take? In most instances, the instituted changes helps make Windows more secure by making it less likely that malware can manipulate Microsoft software update services. Yes, it should have been documented. And yes, to a hundred other statements...but out of all the things we have to complain about in Windows security, that could really use fixing to make Windows more secure, this issue concerns me only very slightly.
To paraphrase a popular Bruce Schneier statement (the original quote was regarding an SSH or SSL bug), if host file bypass is your biggest Windows security issue, then you're more secure than most folks.
On an interesting side note: Four of the "protected" URLs are not currently pointing to valid web pages.
Posted by Roger Grimes on April 15, 2006 09:05 AM
RATE THIS ARTICLE:
-
- COMMENTS
TOP STORIES
ADDITIONAL RESOURCES
- Why Linux Threats Mean Business
- Do you have the power to resolve technical issues with one call?
- Take control of your content- leverage Microsoft SharePoint
- Windows Vista: A Cyber Security Shield
- 8 Phases of a Successful Consolidation Initiative
- Solving 9 Common IT Challenges Through Workload Profiling and Portability
