Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Windows Security

Windows.com Bitsquatting Hack Can Wreak 'Unknown Havoc' On PCs (arstechnica.com) 61

Posted by BeauHD from the flipped-bits dept.
An anonymous reader quotes a report from Ars Technica: Bitflips are events that cause individual bits stored in an electronic device to flip, turning a 0 to a 1 or vice versa. Cosmic radiation and fluctuations in power or temperature are the most common naturally occurring causes. Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bitflip within three days. An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft's windows.com domain. Windows devices do this regularly to perform actions like making sure the time shown in the computer clock is accurate, connecting to Microsoft's cloud-based services, and recovering from crashes.

Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip away from windows.com. Of the 32 bit-flipped values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies normally buy these types of one-off domains to protect customers against phishing attacks. He bought them for $126 and set out to see what would happen.

Over the course of two weeks, Remy's server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown on the device clock is correct. What the researcher found next was even more surprising. "The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that it's after 03:14:07 on Tuesday, 19 January 2038 and wreaking unknown havoc as the memory storing the signed 32-bit integer for time overflows," he wrote in a post summarizing his findings. "As it turns out though, for ~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken."
This discussion has been archived. No new comments can be posted.

Windows.com Bitsquatting Hack Can Wreak 'Unknown Havoc' On PCs More

Windows.com Bitsquatting Hack Can Wreak 'Unknown Havoc' On PCs

Comments Filter:

  • "As it turns out though, for ~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken."

    Story was worth it for that alone.

    BTW I use GPS.

  • How does that compare (Score:3)

    by RobinH ( 124750 ) on Thursday March 04, 2021 @06:37PM (#61124662) Homepage
    How does it compare to any other random list of domain names? Aren't there bots out there scanning all IP addresses and all names constantly?

    • Re:How does that compare (Score:4, Insightful)

      by i.r.id10t ( 595143 ) on Thursday March 04, 2021 @07:16PM (#61124822)

      Not sure what you are asking. Basically this guy mapped out the list of possible results of changing one bit in the memory-stored domain name that one Windows process uses to connect to. Most turned to garbage, invalid TLD etc. Apparently there were some that still remained valid domain names, and of those, the 14 he bought were available for purchase. And he gets a lot of connections, so if he wanted to Be Evil it would be relatively easy to do. But should he choose to Be Evil approximately 30% of the victims wouldn't notice because they are having time/clock related issues as it is.

      • The question is about the control sample. These names selected for being close to "windows.com" got X hits in Y time. We know that there are bots constantly scanning for vulnerabilities, and a new domain registration might get you on the list; what is the expected number of hits in Y time for a typical domain?

        • This is not a vulnerability. This is a time server. It is not scanned for by bots, because there aren't that many of them around, and they are not in script kiddie toolkits because they're at present not vulnerable to anything.

          And when something connects (because he was looking at connections, not just scans) it identifies and says "gimme the time". That is what he looked at. Again, nothing a script kiddie tool does.

          Any scans are not relevant. They do not connect to this port and ask for the time.

          • Re: (Score:1)

            by do0b ( 1617057 )
            They are scanned by bots. Misconfigured NTP servers make for fine amplification attack DDoS.

          • This is a time server. It is not scanned for by bots

            RU Sure?

            Feb 13 22:38:15 fruit kernel: [538778.273992] bad udp: IN=eth0 OUT=eth1 SRC=180.214.238.243 DST=x.x.x.x LEN=220 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=UDP SPT=55469 DPT=123 LEN=200
            Feb 13 22:51:19 fruit kernel: [539562.100372] bad udp: IN=eth0 OUT=eth1 SRC=103.125.190.232 DST=x.x.x.x LEN=220 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=UDP SPT=54204 DPT=123 LEN=200
            Feb 13 22:54:41 fruit kernel: [539763.865268] bad udp: IN=eth0 OUT=eth1 SRC=180.214.

      • Re: (Score:2)

        by RobinH ( 124750 )
        Maybe I missed that part... were the requests actual NTP packets, or just random pings and HTTP requests and stuff?

    • Re: (Score:1)

      by Anonymous Coward
      Bots are connecting to random servers and asking to set their clocks? What is one of us missing?

      • Trying to exploit a NTP server vulnerability.

        • Trying to exploit a NTP server vulnerability.

          Why. No seriously think about it for a moment. NTP is an incredible simple protocol. The server does not have hooks in a system, never runs privileged, doesn't access databases, filesystems, nothing.

          The idea of exploiting an NTP server doesn't pass the pub test (assuming the pub is full of geeks who actually know what we're talking about).

          • Re: (Score:1)

            by wfj2fd ( 4643467 )
            But knowing if someone is running a publicly accessible NTP server is useful information. Most orgs don't, but those that do generally do because they're required for some aspect of their security, or for things like database synchronization.

            • Sorry but that is complete nonsense. NTP servers work for all manner purposes relating to synchronisation unrelated to security, and the systems which have NTP for security reasons normally do so because they on their own network and NTP to an external server is blocked at the firewall.

              Just seeing if NTP is running or doesn't tell you much. Hell it may even tell you that someone just installed a Linux server distro and ticked a few boxes. Better still that IP hosting the NTP server usually doesn't have anyt

  • The other domains (Score:3)

    by BeerCat ( 685972 ) on Thursday March 04, 2021 @06:40PM (#61124676) Homepage

    "Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip away from windows.com. Of the 32 bit-flipped values that were valid domain names, Remy found that 14 of them were still available for purchase."

    14 out of 32 available for purchase. I wonder who owned the other 18.

    More importantly, did he sell his 14 domains on?

  • You're looking at one single bit out of 34,359,738,368 flipping, potentially once every 3 days. Someone can do the math on this, but I don't like your chances of it ever being actually viable...

    • Error detecting/correcting memory (Score:4, Informative)

      by aberglas ( 991072 ) on Thursday March 04, 2021 @07:00PM (#61124750)

      Should be standard everywhere. At least detection, so you know when it happens.

      But somehow those extra few bits quadruple the cost of memory, boards etc. because now you are "server grade".

      Most bit flips are indeed harmless. But you do not know how many are happening on a given machine. It is probably zero, but it could be 100s per hour, it will vary a lot depending on the actual machine and its chips. It is really annoying chasing down software bugs that turn out to actually be caused by hardware.

      • Remembering the good old days of fake parity RAM... Personally, I tend to gravitate towards platforms that at least support ECC, in case I'm ever doing something for which outright failure is the preferred outcome over introducing an error. When building one's own machine, ECC memory doesn't usually cost too much more, though they more or less never come in speeds outside of the basic specifications for the platform (e.g. my 8x4GB of DDR3 1600 registered ECC was $340 back in 2013, when a similar set of basi

        • >Also definitely not saying that OEMs don't charge hellish markup on this sort of stuff.
          I'd certainly never rule that out - but volume no doubt plays a factor as well - if you're only producing 1% as much ECC RAM as non-ECC, then the per-chip overhead costs are going to be 100x higher.

      • But somehow those extra few bits quadruple the cost of memory, boards etc. because now you are "server grade".

        No they increase the cost because of incredibly low volume sales and poor performance.

        It is really annoying chasing down software bugs that turn out to actually be caused by hardware.

        It shouldn't be annoying. If it only happens once it could be a bitflip. If it happens more than once you either have problems with your hardware or your software and you should be thankful you found the issue.

        • >if it happens more than once you either have problems with your hardware or your software

          That's the point isn't it? As a programmer you tend to assume any problems are with your software and can spend ages trying to track down a difficult-to-replicate software problem that doesn't actually exist.. If it's a hardware problem surely it would have shown up elsewhere as well, right? (Wrong. How is it possible that my software is the only one getting obviously hit by this hardware problem? I must have an

    • ..or hell, instead of this hitting the domain name it can instead hit the IP addresses value, which is in fact 32-bit, and there are, surprise, also 32 valid bit flips.

      Are they suggesting Microsoft take over all those numeric IP addresses too?

      ..and soon all web sites IP address have an edit distance of at least 2 from each other, .... because this is some valid concern... yeah

      • Re: (Score:1)

        by NFN_NLN ( 633283 )

        > .... because this is some valid concern... yeah

        Say you're browsing AshleyMadison looking for women. All of a sudden the search for WOMEN enumerator flips to search for MEN.
        A single bit flip could turn you from straight to gay in a nanosecond. The government needs to mandate ECC memory in order to save the population.

    • Re:What about the stats? (Score:4, Interesting)

      by hendric ( 30596 ) * on Thursday March 04, 2021 @08:09PM (#61125020)

      Ask Toyota, or more precisely, the people harmed by their sudden acceleration bug. Bitflips are real, and when you have millions of devices out on the market with life or death control systems, they must be accounted for in fault recovery systems.

      With systems being on longer and longer, RAM loaded data will be more likely to suffer from this. How often do we restart PCs now? Tablets? Once a week/once a month for me. What about all those embedded systems we now have to interact with?

    • Absolutely! The odds of the bit flip being within the say 100 bytes containing the server address is negligible. Indeed, the flipped bit it almost certain to be in a sea of unreferenced zeros, given that the way C allocates heap memory leaves swathes of blocks where less than 50% is in actual use.

  • We can thank Intel for this one (Score:5, Informative)

    by vadim_t ( 324782 ) on Thursday March 04, 2021 @06:54PM (#61124730) Homepage

    Thanks to Intel, ECC RAM is rare on desktops. So buy AMD instead, especially if you're going to venture into things like overclocking.

    And with RAM, overclocking is more complicated than it might seem. For instance, XMP timings count as overclocking. And motherboards support different timings depending on what you put in the RAM slots. Eg, for my Asrock X570 Taichi:

    If you populate all 4 slots, your limit is either 2933 MHz if you only use single rank DIMMs, and 2667 if you use any dual rank ones. You can only go up to 3200 MHz if you only populate two slots.

    So don't know how many ranks your RAM has? Haven't read the specs for the board and only looked at what it advertises on the front? You might well be running your RAM out of the board's spec, and without ECC the corruption might well eat your data before you figure it out.

    • Re:We can thank Intel for this one (Score:5, Interesting)

      by AmiMoJo ( 196126 ) on Thursday March 04, 2021 @07:25PM (#61124864) Homepage Journal

      Don't worry though, the story is horseshit.

      The connections he is getting are likely from people who manually mistyped the domain name. Windows copes just fine with dates beyond 2038.

      Most importantly Windows Update hard codes the IP address and requires cryptographic signatures before trusting the server it finds. Otherwise every hijacked DNS server would be pumping out malware via Windows Update, but that isn't happening.

    • Thanks to Intel, ECC RAM is rare on desktops. So buy AMD instead, especially if you're going to venture into things like overclocking.

      Your story is non-sequitur especially the bit about overclocking. If you actually cared remotely about overclocking you wouldn't touch ECC. If you bought AMD then your CPU is also influenced by memory clock speed and again you wouldn't touch ECC. There are very serious performance penalties to ECC that limit both timing as well as maximum overall clock speed of ECC RAM.

      You might well be running your RAM out of the board's spec, and without ECC the corruption might well eat your data before you figure it out.

      Not really. There's no major variance in signaling performance. It doesn't depend on humidity or who is president. You either are having pro

  • All kinds of greatness here to savor, including the notion that in just three days you have a 96% chance of a bit flip... Programmers always knew computers were inherently non-deterministic, proof at last!

    Tuns out Einstein was partly right; God does not play dice with the universe, but the universe does play dice with you...

  • time travel hacks (Score:1)

    by Anonymous Coward

    Very handy for feeding bad certificates to a computer. Or breaking a computer that is hardened to reject time travel hacks, then following up with a little social engineering. People are more receptive to the "this is Microsoft here to remove viruses from your computer" phone calls if their PC just started acting up.

  • 626 IP addresses is a minuscule % of all computers running Windows (what do you think, 10s of billions?), yet the fact that these computers consistently use the wrong domain suggests there's something different about those computers: likely they had bad RAM (or bad cache). If that's the case then the severity of such an attack must be compared to the severity of having bad RAM to begin with, e.g. writing bad data to random places on your hard drive. ECC RAM should fix this problem, though that's rare on des

  • A stopped clock is right twice a day... (Score:3, Interesting)

    by prisoner-of-enigma ( 535770 ) on Thursday March 04, 2021 @08:45PM (#61125086) Homepage

    Broken clocks? I would love to know how he determined that. And what exactly constitutes a "broken" clock anyway? If your motherboard battery dies, your built-in clock will revert to a default date/time when you power it off, but that is far from being "broken." Other than that, I struggle to imagine what else a clock could do -- since it's software -- to be considered "broken."

    I read in a prior post the claim of setting the date/time to something in 2038 causing mass system failure is not true. I haven't tried it on mine but this does seem to be far fetched on any modern OS.

    Even taking all of the above into account, domain-joined PC's query a domain controller for time during login by default. If they don't and their clock skews too far, they are unable to access domain resources, a clear red flag I've come across many times in my career.

  • "Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bitflip within three days" If that were true I think computers would be far less stable than they are. Would be nice if they linked to the research so we could read for ourselves how the numbers were "estimated".

    • Re: (Score:2)

      by Tommy_S ( 580744 )
      After posting first and then clicking on the link to the article (I'm probably the first guy to ever do that) I see the article actually does link to another article which explains the math. The math is all predicated on bitflips occurring at an average value of "1.3e-12 upsets/bit/hour" and the math article provides a link to yet another article which supposedly shows how the frequency of bitflips was derived but it's a broken link.

  • I don't buy this for multiple reasons.

    There's a chance of 1 bit being flipped out of 32 billion bits within a 3 day period. What are the odds that bitflip will affect the 14 bytes in which the domain name is stored?

    If the RAM in question is paged to disc then that vastly decreases the odds of it being corrupted by a bit flip.

    Is the actual domain name stored plaintext 8 bit characters in memory, and not as the mapped IP address? If the software stays resident in memory, and is always running, then it's lik

    • And there are BILLIONS of other corruptions happening, leading to many crashes and other issues. Thus the standard first response when a machine acts weird is "reboot and see if it helps".

      And no, the underlying Win32 API, which does the net call, uses ASCII.

  • Misleading dates (Score:5, Funny)

    by Skiron ( 735617 ) on Friday March 05, 2021 @03:49AM (#61126022)
    "Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bitflip within three days"

    Actually, the research was last year, but their clocks were wrong.

  • "...~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken."

    This is like looking at someones desktop and finding the clock down in the systray flashing 12:00.

    How you know, humanity is devolving; The Windows VCR comes with NTP, and lusers still can't get it right.

  • This statement is both right and wrong.

    "The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that it's after 03:14:07 on Tuesday, 19 January 2038 and wreaking unknown havoc as the memory storing the signed 32-bit integer for time overflows,"

    The author is correct that NTP does not have authentication enabled by default, but he's wrong about the impact that can have.

    Non-domain joined clients have a MaxNegPhaseCorrection and MaxPosPhaseCorrection setting documented here [microsoft.com] that limits the time skew a non-domain joined client will accept to +/- 15 hours of the current system clock. Beyond that the clock has to be manually adjusted.

    Domain joined machines use SNTP to sync time from their domain controllers, and are not impacted.

    (This is one of the few topics where I'm an honest-to-betsy expert. :) )

Slashdot Top Deals

An authority is a person who can tell you more about something than you really care to know.

Close