Microsoft Rushes To Register Autodiscover Domains Leaking Credentials (bleepingcomputer.com) 20
Microsoft is rushing to register Internet domains used to steal Windows credentials sent from faulty implementations of the Microsoft Exchange Autodiscover protocol. BleepingComputer reports: On Monday, Guardicore's Amit Serper released new research about how the issue caused the exposure of close to 100,000 unique Windows and email credentials. When users configure their Exchange accounts on email clients, the app will attempt to authenticate to various Autodiscover URLs associated with Microsoft Exchange servers for their organization. If a successful authentication occurs, the Exchange server will send back settings that the mail client should use. However, many mail clients, including some versions of Microsoft Outlook and Office 365, incorrectly implement the Autodiscover protocol causing them to try and authenticate to third-party autodiscover.[tld] URLs that are not related to a user's organization. Examples of such domains include autodiscover.com, autodiscover.uk, and autodiscover.de. Threat actors could register autodiscover.[tld] domains and begin collecting the leaked Windows and email credentials for attacks against the organization. In response to Serper's report, Microsoft issued the following statement: "We are actively investigating and will take appropriate steps to protect customers. We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today."
"Since then, Microsoft has been rushing to register any autodiscover.[tld] domains it can find to prevent them from being used to steal Windows credentials," adds BleepingComputer. "At the time of this writing, [...] Microsoft registered at least 68 domains related to Autodiscover."
"Since then, Microsoft has been rushing to register any autodiscover.[tld] domains it can find to prevent them from being used to steal Windows credentials," adds BleepingComputer. "At the time of this writing, [...] Microsoft registered at least 68 domains related to Autodiscover."
Bad Design (Score:4, Informative)
Like most Microsoft crappola, it was designed by idiots ...
Re: (Score:2)
In that case open-source has no CVEs because our team is smarter than the average bear. Oh and...thousand eyes aren't needed; good design and all that.
Re:Bad Design (Score:4, Informative)
"By idiots, for idiots!"
Re: (Score:2, Insightful)
Like most Microsoft crappola, it was designed by idiots ...
It's a protocol that is literally 25 years old. This particular part of the specification isn't that old, certainly, but... it's specification that's the issue, not code. The spec is open. This issue isn't new. It's taken a long time for non-Microsoft eyes to notice it. But... it's easy to dismiss the designers as idiots, isn't it? Even if the flaw wasn't obvious to the point nobody saw it until now?
Go write a spec for a protocol that lasts a decade or two of increasing security consciousness and do
Re: Bad Design (Score:2)
Re: Bad Design (Score:5, Informative)
This particular problem was found and reported to Microsoft years ago. From TFA:
Research regarding faulty Microsoft Autodiscover protocol implementations leaking Windows credentials is not new, and Microsoft has been aware of the issue for years. The research was first disclosed in a Black Hat Asia 2017 briefing, together with a formal research paper explaining the leaks. Other researchers also said they have reported the issue to Microsoft in the past and were told it was not a bug.
Re: (Score:2)
Failing to fix it provides pressure for get full system upgrades. It's a motivation to avoid fixes that would be discussed by managers.
Press Release was a selective, by omission BS (Score:3)
Re: (Score:3)
The first disclosure was well before BH, this has come up at various hacker cons at least a decade ago, can't remember if it was Ruxcon or Kiwicon where it was demonstrated then. Nice to see Microsoft have addressed this giant publicly-known security hole with their usual urgency for fixing such problems.
Wonder how long it'll take them to fix the 305I vulnerability? It's only been, what, eight years so far.... leading to an obvious joke, "In Microsoft terms, how long does the '0' in '0day' go on for?".
Re: (Score:2)
They were told it was "working as designed".
THere you go. Designed as shit for use by shitheads from the get go. Microsoft knew it was a pile of shit.
Re: (Score:2)
Been there, done that, No problem at all. It is easy not to be a stupid dumb fucker.
If Microsoft conceived it, then it is a bag of ill-conceived horse-shit from the get go.
Thus it is, and thus it has always been.
Why not fix their defective software? (Score:2)
This sounds like something a government organization would do.
Re: (Score:3)
Fixing it (which I am sure they are also doing) won't keep people from continuing to use old versions of the software.
Re: (Score:2)
Dear lord, amen to this. I'm very familiar with very, very old operating systems and software tools which companies cannot and will not pay to update as needed.
If only ... (Score:2)
If only there was some sort of solution nobody had thought of yet. Something like administrators, with some sort of enterprise management policy object type thing, or scripts, or .. or just not having software randomly send your credentials to random geo-based things when the settings don't work the first time...
Welcome to the cloud - Where your entire company really is at risk from the stupidest mistakes smart people can make.
Don't look higher up the DNS tree (Score:5, Insightful)
First: autodiscovery shouldn't attempt to shorten the DNS name when attempting to contact the server. If the user provides an email address of "bob@mail.example.com" then "mail.example.com" should be the only domain checked. Due to delegation you can't guarantee that "example.com" belongs to the same organization. It usually will for TLDs like ".com", but you can't know for sure how many segments on the right-hand end of the domain act like part of the TLD and at what point the organization name occurs. Eg., "example.co.uk". For new TLDs the rules of thumb are even less apparent. The only safe approach is to not assume anything about any suffix of the domain you're given unless you're told to by a server in the domain given.
Second: never ever ever send unencrypted credentials anywhere, even over a secure connection.
That ought to be Security 101 type stuff there.
Re: (Score:3)
And imagine a broken DNS on the way causing all kinds of side effects when someone discovers that they can spoof the autodiscover lookup.
I can also imagine that someone is able to just do that with a hacked switch somewhere - look for DNS lookups, then be faster with the answer than the real server and the client would be misdirected. In theory possible because DNS lookups are UDP, but maybe not that easy to implement. It will only work when the real DNS is a few hops away in the net.
Re: (Score:2)
Microsoft's use of DNS in search has been broken since before NT4. Back then you could search search for a file and, God forbid, you had TCP/IP running, it would exhaust your domain(s) and start in on the Internet. And time out while you grew grey hair.
And then there's the MUP.
Shirkin responsbility (Score:5, Insightful)
"Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today."
As usual, Microsoft expects other people to do their security audits for them, and blames those who found the problem rather than themselves for failing to find it first.