Results 1 to 9 of 9

Thread: Microsoft bypasses HOSTS file.

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    Microsoft bypasses HOSTS file.

    Yep, seems that they don't want you blocking MS sites. They site the reason as protection and security but if one reads into this, there seems to be many more implications. Here are the hosts that they will not allow you to bypass via host files. Again, it's from BugTraq and I have not had time to verify each one.


    This info came from BugTraq:

    DomainScreenList:

    windowsupdate.microsoft.com
    windowsupdate.com
    microsoftupdate.com
    download.microsoft.com
    update.microsoft.com

    HostsScreenList:

    microsoft.com
    www.microsoft.com
    support.microsoft.com
    wustats.microsoft.com
    microsoftupdate.microsoft.com
    office.microsoft.com
    msdn.microsoft.com
    go.microsoft.com
    msn.com
    www.msn.com
    msdn.com
    www.msdn.com

    A quick check suggests that this behavior debuted with XP SP2, and is
    present on 2003 SP1 as well. (I haven't looked at 2003 RTM, but it
    would be interesting if someone please would.)

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Ummm... off the cuff, I can live with the autoupdate side of the bypass. On the other hand, I could surmise that there is an existing monitoring function embedded into the other programs and this becomes a sort of "Big Brother"-ish, with me as the littah brah! That is the uncomfortable side.

    If the reason is for protection and security, the question form would be "for whom?" If everytime I go online those programs submit integrity check reports and I get a feedback on what the status of my OS programs are (i.e., if there is a clean bill of health or not), then maybe I'd let the "umbilical cord" alone (unless I decide to switch OS). By the way things go, however, it looks like a silent transmitter sending periodic bursts of messages reporting on what I am doing with what or which.

    Problem is, for a newbie like me, I can only grumble. A possible solution is to look at the firewall and check if it is possible to implement a sieve-like method with regard to outgoing and incoming traffic being executed by which program. This is rather tedious, though, and I doubt if the firewalls would work on these files as well.

    ... that's my layman's take of it.
    Si vis pacem, para bellum!

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    It seems like a good thing to me, it will obviously stop malicious software from blocking/redirecting the update site, which has to be a good thing!

    Think I would do the same thing if I was Billy G!

  4. #4
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    On reading through %WINDIR%\system32\dnsapi.dll with 'strings', I find
    the following hostnames listed. I assume they are all also singled out
    for special treatment
    http://www.securityfocus.com/archive.../30/0/threaded

    It seems the addresses are written into the dll. It's an amateur
    hack to get ahead of page hijackers that edit the hosts file.
    What they need to do is get rid of ActiveX, instead of experimenting
    like this. What happens when the malware replaces that dll with
    their own corrupted version. As long as the OS permits anyone
    out there
    to edit/replace your system files through ActiveX,
    it'll only be a temporary fix.
    I came in to the world with nothing. I still have most of it.

  5. #5
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    ActiveX - That is soooo old school.

    COM technology is what they're calling it nowadays. =p
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  6. #6
    Junior Member
    Join Date
    Jan 2006
    Posts
    25
    As long as the OS permits anyone out there to edit/replace your system files through ActiveX
    +
    Code:
    C:\WINDOWS\system32>cacls dnsapi.dll
    C:\WINDOWS\system32\dnsapi.dll
    BUILTIN\Users:R
    BUILTIN\Power Users:R
    BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F
    looks like the attempted introduction of fear uncertainty and doubt.

    the only way activex can edit or replace this file is if you are AT LEAST using activex as an administrative user. in this instance to claim activex is the problem would be akin to a doctor diagnosing an er patient with attention deficit hyperactivity disorder when that patient is under the influence of cocaine. often times when you remove the big problems the small ones go away.

  7. #7
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    using activex as an administrative user
    And we know that nobody is doing that! LOL
    I came in to the world with nothing. I still have most of it.

  8. #8
    Just checked a Windows 2000 Pro install (fully patched) and it's not in there.

    Interesting.

  9. #9
    Junior Member
    Join Date
    Apr 2006
    Posts
    7
    I wonder what longhorn ahhh I mean Vista is going to have in it's bag of tricks?
    If Knownledge is power,then would total knowledge be total power and who would be a god or a lesser?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •