07
Apr 20

Microsoft Buys Corp.com So Bad Guys Can’t

In February, KrebsOnSecurity told the story of a private citizen auctioning off the dangerous domain corp.com for the starting price of $1.7 million. Domain experts called corp.com dangerous because years of testing showed whoever wields it would have access to an unending stream of passwords, email and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe. This week, Microsoft Corp. agreed to buy the domain in a bid to keep it out of the hands of those who might abuse its awesome power.

Wisconsin native Mike O’Connor, who bought corp.com 26 years ago but has done very little with it since, said he hoped Microsoft would buy it because hundreds of thousands of confused Windows PCs are constantly trying to share sensitive data with corp.com. Also, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com.

From February’s piece:

At issue is a problem known as “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” which is a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

For instance, if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “\\drive1\” alone will suffice, and Windows takes care of the rest.

But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory — Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.

Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.

The story went on to describe how years of testing — some of which was subsidized by grants from the U.S. Department of Homeland Security — showed hundreds of thousands of Windows computers were constantly trying to send this domain information it had no business receiving, including attempts to log in to internal corporate networks and access specific file shares on those networks.

O’Connor told me he was selling the domain after doing basically nothing with it for 26 years because he was getting on in years and didn’t want his kids to inherit this mess. When he put the domain up for sale, I asked if he’d agree to let me know if and when he sold it.

On Monday evening, he wrote to say that Microsoft had agreed to purchase it. O’Connor said he could  not discuss the terms of the deal, nor could he offer further comment beyond acknowledging the sale of corp.com to Microsoft.

In a written statement, Microsoft said it acquired the domain to protect its customers.

“To help in keeping systems protected we encourage customers to practice safe security habits when planning for internal domain and network names,” the statement reads. “We released a security advisory in June of 2009 and a security update that helps keep customers safe. In our ongoing commitment to customer security, we also acquired the Corp.com domain.”

Over the years, Microsoft has shipped several software updates to help decrease the likelihood of namespace collisions that could create a security problem for companies that still rely on Active Directory domains that do not map to a domain they control.

However, experts say hardly any vulnerable organizations have deployed these fixes for two reasons. First, doing so requires the organization to take down its entire Active Directory network simultaneously for some period of time.

Second, according to Microsoft applying the patch(es) will likely break or at least slow down a number of applications that the affected organization relies upon for day-to-day operations. Faced with either or both of these scenarios, most affected companies probably decided the actual risk of not applying these updates was comparatively low.

It should be noted that while Microsoft’s purchase of corp.com will safeguard companies that built Active Directory infrastructures on top of “corp” or “corp.com,” any company that has tied their internal Active Directory network to a domain they do not control is opening itself to a similar potential security nightmare.

Further reading:

Mitigating the Risk of DNS Namespace Collisions (PDF)

DEFCON 21 – DNS May Be Hazardous to your Health (Robert Stucke)

Mitigating the Risk of Name Collision-Based Man-in-the-Middle Attacks (PDF)

Tags: , , ,

65 comments

  1. An example of money well spent on one thing to protect us all — seems something of a common theme, just now.

    • … well spend, to intercept those information instead of anyone else.

    • Agreed. in the last 7 years Microsoft has made tremendous steps customer service wise. It is night and day better than the 18004myxbox days. For such a huge company, it’s not that hard to get ahold of a customer service rep.
      A lot of their recent actions in the gaming spheres have been consumer focused too.

    • How did Microsoft Corporation not come to a deal 10 years ago?

  2. Stephanie Harris

    I’m sure that is one “.com” that paid off large – hopefully he can now enjoy his retirement and his children will inherit wealth instead of a mess.

    • Um its 1.7 million… I doubt its enough to retire on let alone have a big inheritance.

      • That was the opening bid and not the final price.

      • Depends upon your needs; I get by just fine on the age pension alone…

      • Haha I’m sorry but your a fool that does not know how to save or spend money. Nobody said you need to spend the 1.7 mil right away… and if people can survive and live off of minimum wage, I am quite sure getting 1.7 mil would suffice. For example let’s say this guy made 40k a year. If he is used to that spending having 1m7 mil will last him about 15 years or so, even more. If you retire at 65 and have guaranteed money until your 85… that sounds pretty awesome. Dont forget he has social security and all other things, those dont disappear when you make a good sale. I think your a financially off and have zero idea how to handle money

        • Also, if you invested it and got a 5% return, which should be quite easy on that much money, you could pay yourself a $85,000 a year salary and never even touch the 1.7 million.

      • how much would you consider enough to retire on?

        • Rube Goldberg's Razor

          I don’t always retire, but when I do, it’s always on other people’s money.

          ~ The Most Interest-Consuming Man In The World

    • Is that what we’re calling domain squatting now…. retirement planning?

  3. In addition to the AD vulnerability, which is scary, it’s a domain ideal for address spoofing in phishing and such. So, instead of bank.com, the bad guys use bank.corp.com. That probably wouldn’t get past readers here, but it would get past a lot of people.

  4. Microsoft created the problem.

    There’s nothing altruistic about them paying to mitigate something they should have fixed years ago.

    • Agreed

    • The sad part is that anyone anyone that builds there AD on their domain name and changes their domain name is in the same boat. And there still is no fix.
      So what then are you supposed to use as your namespace for AD?

      • Are you aware of any company that changes their domain name (as a result of an acquisition or rebrand) and actually abandons the old one?

        I doubt that very much.

        • Sadly, some companies do abandon old domain names. A company I worked for got acquired and the new company abandoned the domain after a year or two. The abandoned named got purchased by someone hosting malvertisements so every DNS request for the old name now goes to a criminal site trying to convince you that you’re wanted by the FBI or that you need to install their special Flash update or something.

          I blogged about it back in November when I finally managed to track down random page redirects to an old Windows configuration that was still using the abandoned domain name.

        • Sadly, some companies do abandon old domain names. A company I worked for got acquired and the new company abandoned the domain after a year or two. The abandoned named got purchased by someone hosting malvertisements so every DNS request for the old name now goes to a criminal site trying to convince you that you’re wanted by the FBI or that you need to install their special Flash update or something.

          I blogged about it back in November when I finally managed to track down random page redirects to an old Windows configuration that was still using the abandoned domain name.

          https://shaminospage.blogspot.com/2019/11/security-tip-watch-out-for-expired-dns.html

  5. Well, The Onion won’t have to work at all to copy this article’s title.

  6. We discussed this on the OpenSourceSecurity Podcast back in Feb 2020 https://www.opensourcesecuritypodcast.com/2020/02/episode-184-its-dns-its-always-dns.html TL;DR: this is the least painful outcome of these DNS shenanigans.

  7. Given that Microsoft has a habit of letting even important domains expire, hopefully they have the sense to register corp.com for a decade or two.

    In an ideal world they would contact any companies that are inadvertently sharing out information, but I don’t have a lot of trust that Microsoft will create that kind of cohesive, long-term plan. It’s more likely that they’ll simply have corp.com redirect to some other Microsoft site, which is good enough I suppose.

  8. Wouldn’t it have been great to be smart enough to make up a lot of domain names that would end up being critical like that, and just sit on that gold mine until it paid off?

    I got to admit though, it takes discipline to sit there and pay those yearly fees for that name(s) for 26 years. I hate to imagine what that bill comes to now! I was squatting on a name, and several “dots” for almost 17 years now, that only I would want, but I finally got tired of paying those ridiculous fees, and dropped them like a bag of rotten potatoes.

  9. I certainly see nothing altruistic about Microsoft shelling out the shekels for this domain — it seems to me to be a “small price now versus much bigger price later.”

    I’m just glad the crowd of Microsoft MBAs saw this as financially responsible on the front end.

  10. If only MS would have locked down AD domain names to *.local back in the day. Would have saved them some scratch 20 years later.

    • As a partial fix, what about Windows not resolving corp.com to anything outside an RFC 1918 address, or more than a few network hops away? It wouldn’t solve all the problems, but would deal with a vast majority of them.

    • They did recommend that. And then they backflipped on that years later after it caused interop issues with apple’s service discovery protocol, and more. But the damage is already done, nobody is going to bother renaming their AD domain.

  11. “Microsoft innovation called Active Directory” lol, MSFT doesn’t “innovate “, they buy, steal and copy everything and call it their own. They stole from Novell for AD.

    • You forgot about Banyan Vines, which Novell and Microsoft took their ideas from. https://en.wikipedia.org/wiki/Banyan_VINES

    • Wow, I have to reply to this. I dont think MS stole much from Novell. AD/MS will never compare to the managability, stability, and feature richness that Novell OES had. After all these years, official MS support told me last month that VSS is not designed for backup/recovery of data files – only system files. WTF ? Novell had file versioning / recovery for as long as I can remember, and it always worked, and still works. (And I’ve been in this game 30 years). Long live Novell.

    • This is nonsense.

      Active Directory is based on the X.500 Directory standard (the corresponding ISO standard is ISO/IEC 9594).

      My understanding is that Microsoft’s initial Active Directory implementation was based on an X.500 directory product licensed from a UK company called Vega (I worked alongside this company around the time Active Directory was introduced – current companies with this name seem to bear no relation to that company, so I presume it is now defunct).

      The suggestion that Microsoft ‘stole’ anything is simply ludicrous.

      • People who say “simply ludicrous” too often tend to exhibit that.

        “Plus, his analysis only deals with copied code, not with the look and feel of the operating system. In 2004, Little Brown published a book by Harold Evans called They Made America: From the Steam Engine to the Search Engine: Two Centuries of Innovators which included Kildall’s claims that the API and look and feel of 86-DOS had been copied from CP/M. In 2005, Paterson tried to sue both Evans and Little Brown for defamation, but the case was ultimately dismissed as the judge found that Paterson had indeed copied CP/M’s API. Considering the recent decision that APIs aren’t subject to copyright, it doesn’t seem that DRI would have had much luck in court. But it’s hard to dispute the similarities between the operating systems.”

        Microsoft bought (from Seattle Computer) the QDOS system that had copied (“stolen,” yes, though you can’t copyright an API) the API from CP/M. So whether or not actual binary bitcode was 1:1 copied, yes, Microsoft has bits of stolen IP in their products all up and down the line whether or not anyone sues successfully over them; it’s indeterminant of that court outcome. The original author did not sue and his limitations have long expired. MS of course isn’t the only one, nor is this specifically related to AD.

        But to say they haven’t stolen anything and the idea is “simply ludicrous” out of hand like that, well, it’s oversimplistic at best.

  12. Does this mean that Microsoft will now receive “information it had no business receiving, including attempts to log in to internal corporate networks and access specific file shares on those networks.”

    • You’re talking about a company that with a flick of a switch could quietly ship an update that could do that and far worse. At some point, you have to give MS the benefit of the doubt that they’re not going to do anything nefarious with this domain other than make sure no one else can have it, because there are far easier ways for them to be evil if that’s what they wanted to do.

      • Bruce–I have to second you on this one. Microsoft seems to have put on a white hat lately.

        I ran a non-Microsoft development team near Redmond for many years and I have dealt with them a lot. I’ve competed with them, sold products to them, and developed for them. At one time, we even had a source code license for Windows.

        Once, when we were in a deal with Big Blue, an IBMer who was visiting us tossed a rock into a Microsoft barbecue while we walking by one of their parking lots. And I darn near tossed a second one myself. That’s what I thought of MSFT back then.

        They are not the company they were in the 90s and early 00s. They made their mistakes and they will continue to make them because 80% of reliable software has always been and always will be correcting defects that QA misses. I think Microsoft has gotten pretty good at owning up and fixing up lately.

        And they don’t even hate Linux anymore.

    • You’re right. It’s true from a technical point of view. But Microsoft can use more covert means, such as software update, to lure users to authorize, which are much better than this, and more difficult to be found.

      • How is shipping an update, that some non-zero number of security-conscious governments will audit, more passive than sucking up data that just comes in to ‘corp.com’?

        There is no reason to trust Microsoft to deal with this safely.

        • They could also use it as a bargaining chip in the JEDI negotiations and offer to just send all the traffic straight to the NSA. No one would know, and they wouldnt risk the reputational damage getting caught screwing with a Windows update.

  13. Yes, it’s great that MS purchased this domain name, no question about it. I rather see them owning it, than a private entity.

    Just don’t forget, that doing so did not change the domain name’s “awesome power”. Your AD still want s to reach out to the corp.com…

  14. Coronald McDonald

    I think you have a proofread error there Brian – the modifier “Other” got omitted.

    Bicycle repairman, our hero!

  15. Patricia Cravener

    Good on MS. I’ll still be annoyed every time their untested patch Tuesday updates cause more problems than the original issue being ‘corrected’ was, but I’ll be just that little bit more forgiving now that they’ve done the right thing with corp.com — taking it out of circulation.

  16. Well done Microsoft well done Krebs for shining a spotlight on this critical issue.

  17. Puneet Agarwal

    Sorry to intrude but I am selling privilegeescalation.com , arpspoofing.com , threewayhandshake.com , socialengineeringtoolkit.com and other top 50 cyber security related domain names. If anyone is interested please let me know.

    • Wais Ted Yamunny

      Hi Puneet, well it looks like you wasted your money, sadly. I have Puneetspoofing.com for sale if you want. I also have Puneetescalation, Puneethandshake and Puneethandshake.com

      • Puneet Agarwal

        You think you are very punny guy! Well the true punmeister is me, Puneet. I don’t need those names, thanks, but I appreciate your humor. I also appreciate anyone that wants to but arpspoofing, dnsspoofing, whitehathacker, krebsoneverything.com and all the other domain names that I own and am willing to SELL.

        • Puneet Agarwal

          This above person by the name of mine is a prankster. I am real Puneet Agarwal who posted those domains

        • Puneet Agarwal

          I am not that Puneet Agarwal.

        • Puneet Agarwal

          Mr Wais and fake Puneet Agarwal who started his commitment with ” you think you are” etc etc.
          The domain names which u hv mentioned are of zero value. Throw them.
          Mine are highly searched ones.
          Also I can also understand your frustration and envy with domainers. As u r not able to own them.
          The ones like u would have said same thing to Mike as well in 90s when he booked corp.com

      • Puneet Agarwal

        Mr Wais all those domains by my name are not worth. Those keywords are not searched on internet. The keywords which I have mentioned are searched ones sir

  18. Shayan Eskandari

    This reminded me of `WPAD` namespace for DNS and DHCP:

    https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol

    I remember logging all requests to wpad.ir, there were many from Brazil for some reason.

  19. God Stands Before Me

    I suggest these things be fixed if not maybe we will look like a star indeed. If any bother mine or me not the 26th in the Sky you see. If not then then when the ones you love the most will see be. Fool you not God see I am not he only maybe shadow of he. Did not think the world an accident? Why then repeat patterns they be in nature you see. Accidents like that can’t be only from a divine maybe. Undo this what has be done as much as can or Gods will WILL BE DONE…

  20. Marquin Thompson

    Why not destroy the program so no one could have it??? The bad guys could possibly be Microsoft as well. How do we know they’re nor?

  21. Brian, thank you for doing such an eloquent job explaining this complex issue. After 6 long years, this saga has finally come to a successful end. The Internet is a safer place today because of the quiet work of a number of dedicated folks behind the scenes.

    So many things worked “right” here to come to this successful end. My company (JAS) first identified this issue in 2014, and undertook Responsible Disclosure to the extreme as MSFT initially worked through issues related to this hard problem.
    https://msrc-blog.microsoft.com/2015/02/10/ms15-011-ms15-014-hardening-group-policy/

    The owner rejected numerous offers over the years in recognition that corp.com was “special.”

    Microsoft took the time and dedicated the technical resources to gain an understanding of the underlying technical issues and solve the root causes.

    I’m honored to be a part of a story with a happy ending and a safer Internet.

  22. I wonder what Microsoft spent on this domain… $5 million? $8 million?

  23. It’s a small price for Microsquash to pay to resolve a long-standing problem that they created. Of course, none of the money addresses the problem of what they may do with the data that these unpatched systems try to send to the Corp[.]com domain.

    That said, the funniest part of this article is where Krebs calls Novell Directory Services a Microsoft innovation! *Snickers*

  24. Just say NO to ID2020!

    https://en.wikipedia.org/wiki/Microsoft_vs._MikeRoweSoft

    “Microsoft v. MikeRoweSoft was a legal dispute between Microsoft and a Canadian Belmont High School student named Mike Rowe over the domain name “MikeRoweSoft.com”. Microsoft argued that their trademark had been infringed because of the phonetic resemblance between “Microsoft” and “MikeRoweSoft”.

    The case received international press attention following Microsoft’s perceived heavy-handed approach to a 12th grade student’s part-time web design business and the subsequent support that Rowe received from the online community. A settlement was eventually reached, with Rowe granting ownership of the domain to Microsoft in exchange for an Xbox and additional compensation.” […]

    https://en.wikipedia.org/wiki/Microsoft_Corp._v._Lindows.com,_Inc.

    “Microsoft v. Lindows.com, Inc. was a court case brought by Microsoft against Lindows, Inc in December 2001, claiming that the name “Lindows” was a violation of its trademark “Windows.”

    After two and a half years of court battles, Microsoft paid US$20 million for the Lindows trademark, and Lindows Inc. became Linspire Inc.”

  25. please send more details to me by email, thanks

  26. I don’t get the issue. Change your hosts file to point to the local machine. i.e. 127.0.0.1 corp.com, 127.0.0.1 corp.org, corp.net…

    Shouldn’t that resolve data leakage, or am I just being dense?

  27. It is really informative and good to know that the problem with corp.com has finally been resolved.