Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops

Lax DNS leaves door wide open for miscreants to impersonate Windows giant on its own websites


If you saw a link to mybrowser.microsoft.com, would you have trusted it? Downloaded and installed an Edge update from it? How about identityhelp.microsoft.com to change your password?

Well, you shouldn't have, because the pair were among sub-domains hijacked by vulnerability researchers to prove Microsoft is lax with its own online security.

In short, the Windows giant allowed hundreds of sub-domains – at least 670 – on its big-name microsoft.com, skype.com, visualstudio.com, and windows.com properties to potentially fall into the hands of miscreants who could have commandeered them for phishing and malware distribution.

The caper

It basically would work like this, similar to previous reports of Microsoft web joy-riding: The tech goliath had loads of sub-domains, such as dev.social.microsoft.com and web.visualstudio.com, served by systems hosted in its Azure cloud. For example, mybrowser.microsoft.com might have resolved to something like webserver9000.azurewebsites.net. When you visited mybrowser.microsoft.com, your browser would have been directed, via DNS, to fetch a page from webserver9000.azurewebsites.net.

Now, as we said, Microsoft has loads of these sub-domains, and after a while it just stops updating some of them and abandons them. Unfortunately, and crucially, it leaves the sub-domains' DNS records in place, so, for example, mybrowser.microsoft.com would still point to webserver9000.azurewebsites.net even though the server instance handling it was long since shut down.

This is where the miscreants swoop in. They get an Azure account, and spin up a web server instance, and request the hostname webserver9000, or webserver9000.azurewebsites.net in its full form. Now, when people visit mybrowser.microsoft.com, they are directed instead to the criminals' webserver9000.azurewebsites.net, which offers victims downloads that look like browser updates but are actually ransomware or malware. Or pages that phish for their Office 365 username and password. You get the idea.

Office 365, photo by dennizn via Shutterstock

White-listing Azure cloud connections to grease your Office 365 wheels? About that...

READ MORE

This security shortcoming, and nearly 700 example at-risk sub-domains, were privately reported to Microsoft by Numan Ozdemir and Ozan Agdepe of infosec outfit Vullnerability. To demonstrate the hostnames could be hijacked, they redirected ten of Microsoft's sub-domains, including mybrowser.microsoft.com and identityhelp.microsoft.com, to their own pages hosted on Azure. It appears Microsoft has, in the past 24 hours or so, finally deactivated the sub-domains disclosed by Vullnerability.

"An attacker can upload his own files, create his own databases, track traffic, and create a clone of the main website," Ozdemir and Agdepe explained in an advisory seen by The Register earlier this week ahead of its publication today. "So, it is not possible to detect whether a sub-domain has been hijacked by an attacker or is really managed by system authorities. Attackers threaten security by exploiting visitors' trust."

Ozdemir told El Reg a sub-domain takeover requires little in the way of technical skill, and, depending how long it takes to stumble upon a vulnerable sub-domain, it could take anywhere from five to 30 minutes to commandeer.

Microsoft's response is concerning. It has known about this danger for ages, yet persists with lax DNS management, and has refused to pay out bug bounties for the issue. Ozdemir and Agdepe argued Microsoft's reward scheme included sub-domain security; Redmond disagreed with that interpretation.

All Microsoft has to do is delete DNS entries for sub-domains when decommissioning their servers, or at least consider removing DNS entries for those sub-domains that no longer respond to HTTP requests.

"We have detected more than 670 vulnerable sub-domains, and reported lots of vulnerable sub-domains," said Ozdemir. "We will continue to report all vulnerable sub-domains ... otherwise, nobody will report them to Microsoft. It's a great reason why visitors should be careful while visiting Microsoft's websites. If Microsoft doesn't need us, we invite them to scan all their sub-domains and fix all of vulnerable sub-domains.

"They can detect those vulnerabilities by comparing DNS records and HTTP responses, just as we did."

A spokesperson for Microsoft told El Reg: "We are aware of such reports and are taking appropriate action as needed to help protect Microsoft services and customers." ®


Other stories you might like

  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022