Information Assurance

Daryaneh Badaly


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Extra Sources- Wikipedia: Hosts File
(Info on hosts file including doubleclick example)

Microsoft DNS Resolver [1][2]

back to bugtraq analyses page

The Issue:
Normally, you can override DNS lookups by specifying a hostname and IP in the hosts file, which is searched before any query is issued to your DNS Server. Notably, this is done to block ads, and spyware. For example, if you wanted to block Doubleclick ads, you could add the following to your hosts file: 127.0.0.1(home IP) ad.doubleclick.net. The Microsoft DNS Client special-cases “go.microsoft.com” (and other Microsoft and Windows sites) and refuses to look it up in its hosts files.

List of special-cases:
DomainScreenList:
windowsupdate.microsoft.com
windowsupdate.com
microsoftupdate.com
download.microsoft.com
update.microsoft.com

HostsScreenList:
microsoft.com
www.microsoft.com
support.microsoft.com
wustats.microsoft.com
microsoftupdate.microsoft.com
office.microsoft.com
msdn.microsoft.com
go.microsoft.com
msn.com
www.msn.com
msdn.com
www.msdn.com

Problems: If you have a legitimate reason to block sites like “go.microsoft.com,” you cannot. The presented Bugtraq problem was for blocking Windows Updates for Windows Media Player. However, one could also imagine a situation in which the site is compromised and a person needs to block the site for more critical reasons.

Benefits: Having special-cases bypasses malicious host file modification, avoiding malware attempts to block Windows Updates. Malware like MyDoom can specifically alter the hosts file to keep clients from accessing anti-virus sites and updates sites like go.microsoft.com.

Is this an issue? It depends on whether or not you want to block sites such as “go.microsoft.com.” One suggestion was just not to use Windows. Another suggestions was to use a non-host-based firewall. As for blocking WMP Updates, there is a description on Microsoft’s site of how to do this without altering the hosts file.

What we learn from the problem? One large criticism was that the documentation for this issue was insufficient. There should be better documentation to allow consumers to make educated choices.