Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops

Lax DNS leaves door wide open for miscreants to impersonate Windows giant on its own websites


If you saw a link to mybrowser.microsoft.com, would you have trusted it? Downloaded and installed an Edge update from it? How about identityhelp.microsoft.com to change your password?

Well, you shouldn't have, because the pair were among sub-domains hijacked by vulnerability researchers to prove Microsoft is lax with its own online security.

In short, the Windows giant allowed hundreds of sub-domains – at least 670 – on its big-name microsoft.com, skype.com, visualstudio.com, and windows.com properties to potentially fall into the hands of miscreants who could have commandeered them for phishing and malware distribution.

The caper

It basically would work like this, similar to previous reports of Microsoft web joy-riding: The tech goliath had loads of sub-domains, such as dev.social.microsoft.com and web.visualstudio.com, served by systems hosted in its Azure cloud. For example, mybrowser.microsoft.com might have resolved to something like webserver9000.azurewebsites.net. When you visited mybrowser.microsoft.com, your browser would have been directed, via DNS, to fetch a page from webserver9000.azurewebsites.net.

Now, as we said, Microsoft has loads of these sub-domains, and after a while it just stops updating some of them and abandons them. Unfortunately, and crucially, it leaves the sub-domains' DNS records in place, so, for example, mybrowser.microsoft.com would still point to webserver9000.azurewebsites.net even though the server instance handling it was long since shut down.

This is where the miscreants swoop in. They get an Azure account, and spin up a web server instance, and request the hostname webserver9000, or webserver9000.azurewebsites.net in its full form. Now, when people visit mybrowser.microsoft.com, they are directed instead to the criminals' webserver9000.azurewebsites.net, which offers victims downloads that look like browser updates but are actually ransomware or malware. Or pages that phish for their Office 365 username and password. You get the idea.

Office 365, photo by dennizn via Shutterstock

White-listing Azure cloud connections to grease your Office 365 wheels? About that...

READ MORE

This security shortcoming, and nearly 700 example at-risk sub-domains, were privately reported to Microsoft by Numan Ozdemir and Ozan Agdepe of infosec outfit Vullnerability. To demonstrate the hostnames could be hijacked, they redirected ten of Microsoft's sub-domains, including mybrowser.microsoft.com and identityhelp.microsoft.com, to their own pages hosted on Azure. It appears Microsoft has, in the past 24 hours or so, finally deactivated the sub-domains disclosed by Vullnerability.

"An attacker can upload his own files, create his own databases, track traffic, and create a clone of the main website," Ozdemir and Agdepe explained in an advisory seen by The Register earlier this week ahead of its publication today. "So, it is not possible to detect whether a sub-domain has been hijacked by an attacker or is really managed by system authorities. Attackers threaten security by exploiting visitors' trust."

Ozdemir told El Reg a sub-domain takeover requires little in the way of technical skill, and, depending how long it takes to stumble upon a vulnerable sub-domain, it could take anywhere from five to 30 minutes to commandeer.

Microsoft's response is concerning. It has known about this danger for ages, yet persists with lax DNS management, and has refused to pay out bug bounties for the issue. Ozdemir and Agdepe argued Microsoft's reward scheme included sub-domain security; Redmond disagreed with that interpretation.

All Microsoft has to do is delete DNS entries for sub-domains when decommissioning their servers, or at least consider removing DNS entries for those sub-domains that no longer respond to HTTP requests.

"We have detected more than 670 vulnerable sub-domains, and reported lots of vulnerable sub-domains," said Ozdemir. "We will continue to report all vulnerable sub-domains ... otherwise, nobody will report them to Microsoft. It's a great reason why visitors should be careful while visiting Microsoft's websites. If Microsoft doesn't need us, we invite them to scan all their sub-domains and fix all of vulnerable sub-domains.

"They can detect those vulnerabilities by comparing DNS records and HTTP responses, just as we did."

A spokesperson for Microsoft told El Reg: "We are aware of such reports and are taking appropriate action as needed to help protect Microsoft services and customers." ®


Other stories you might like

  • AMD claims its GPUs beat Nvidia on performance per dollar
    * Terms, conditions, hardware specs and software may vary – a lot

    As a slowdown in PC sales brings down prices for graphics cards, AMD is hoping to win over the market's remaining buyers with a bold, new claim that its latest Radeon cards provide better performance for the dollar than Nvidia's most recent GeForce cards.

    In an image tweeted Monday by AMD's top gaming executive, the chip designer claims its lineup of Radeon RX 6000 cards provide better performance per dollar than competing ones from Nvidia, with all but two of the ten cards listed offering advantages in the double-digit percentages. AMD also claims to provide better performance for the power required by each card in all but two of the cards.

    Continue reading
  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading

Biting the hand that feeds IT © 1998–2022