Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops

Lax DNS leaves door wide open for miscreants to impersonate Windows giant on its own websites


If you saw a link to mybrowser.microsoft.com, would you have trusted it? Downloaded and installed an Edge update from it? How about identityhelp.microsoft.com to change your password?

Well, you shouldn't have, because the pair were among sub-domains hijacked by vulnerability researchers to prove Microsoft is lax with its own online security.

In short, the Windows giant allowed hundreds of sub-domains – at least 670 – on its big-name microsoft.com, skype.com, visualstudio.com, and windows.com properties to potentially fall into the hands of miscreants who could have commandeered them for phishing and malware distribution.

The caper

It basically would work like this, similar to previous reports of Microsoft web joy-riding: The tech goliath had loads of sub-domains, such as dev.social.microsoft.com and web.visualstudio.com, served by systems hosted in its Azure cloud. For example, mybrowser.microsoft.com might have resolved to something like webserver9000.azurewebsites.net. When you visited mybrowser.microsoft.com, your browser would have been directed, via DNS, to fetch a page from webserver9000.azurewebsites.net.

Now, as we said, Microsoft has loads of these sub-domains, and after a while it just stops updating some of them and abandons them. Unfortunately, and crucially, it leaves the sub-domains' DNS records in place, so, for example, mybrowser.microsoft.com would still point to webserver9000.azurewebsites.net even though the server instance handling it was long since shut down.

This is where the miscreants swoop in. They get an Azure account, and spin up a web server instance, and request the hostname webserver9000, or webserver9000.azurewebsites.net in its full form. Now, when people visit mybrowser.microsoft.com, they are directed instead to the criminals' webserver9000.azurewebsites.net, which offers victims downloads that look like browser updates but are actually ransomware or malware. Or pages that phish for their Office 365 username and password. You get the idea.

Office 365, photo by dennizn via Shutterstock

White-listing Azure cloud connections to grease your Office 365 wheels? About that...

READ MORE

This security shortcoming, and nearly 700 example at-risk sub-domains, were privately reported to Microsoft by Numan Ozdemir and Ozan Agdepe of infosec outfit Vullnerability. To demonstrate the hostnames could be hijacked, they redirected ten of Microsoft's sub-domains, including mybrowser.microsoft.com and identityhelp.microsoft.com, to their own pages hosted on Azure. It appears Microsoft has, in the past 24 hours or so, finally deactivated the sub-domains disclosed by Vullnerability.

"An attacker can upload his own files, create his own databases, track traffic, and create a clone of the main website," Ozdemir and Agdepe explained in an advisory seen by The Register earlier this week ahead of its publication today. "So, it is not possible to detect whether a sub-domain has been hijacked by an attacker or is really managed by system authorities. Attackers threaten security by exploiting visitors' trust."

Ozdemir told El Reg a sub-domain takeover requires little in the way of technical skill, and, depending how long it takes to stumble upon a vulnerable sub-domain, it could take anywhere from five to 30 minutes to commandeer.

Microsoft's response is concerning. It has known about this danger for ages, yet persists with lax DNS management, and has refused to pay out bug bounties for the issue. Ozdemir and Agdepe argued Microsoft's reward scheme included sub-domain security; Redmond disagreed with that interpretation.

All Microsoft has to do is delete DNS entries for sub-domains when decommissioning their servers, or at least consider removing DNS entries for those sub-domains that no longer respond to HTTP requests.

"We have detected more than 670 vulnerable sub-domains, and reported lots of vulnerable sub-domains," said Ozdemir. "We will continue to report all vulnerable sub-domains ... otherwise, nobody will report them to Microsoft. It's a great reason why visitors should be careful while visiting Microsoft's websites. If Microsoft doesn't need us, we invite them to scan all their sub-domains and fix all of vulnerable sub-domains.

"They can detect those vulnerabilities by comparing DNS records and HTTP responses, just as we did."

A spokesperson for Microsoft told El Reg: "We are aware of such reports and are taking appropriate action as needed to help protect Microsoft services and customers." ®


Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022