Microsoft Security Advisory (971888)

Purpose of Advisory: To provide clarification and notification of the availability of a non-security update that may help customers in keeping their systems protected.

Advisory Status: Microsoft Knowledge Base Article and associated updates were released.

Recommendation: Review the referenced Knowledge base and apply the appropriate updates.

This advisory discusses the following software.

What is the scope of the advisory?
This advisory provides notification that updates are available that help define an organizational boundary for systems that are domain joined but do not have a DNS suffix list configured. Updates are available for the software that are listed in the Overview section.

What is a top-level domain (TLD)?
The top-level domain (TLD) is the last part of an Internet domain name. These are the letters that follow the final dot of any domain name. For example, in the domain name wpad.western.corp.contoso.co.us, the TLD is ".us". TLDs can be primarily split into two types: country code and generic. Country code TLDs are two letter abbreviations for each country. In this example .us is for United States. Generic TLDs are the more traditionally recognizable three (or greater) letter abbreviations such as .com, .net, .org, etc. For a full list of all available TLDs, refer to the following list at IANA.

What is a Primary DNS Suffix (PDS)?
This is the domain name appended to the right of a computer's single label host name. A fully qualified domain name (FQDN) can be defined as <hostname>.<primary DNS suffix>. By default, the primary DNS suffix portion of a computer's FQDN is the same as the name of the Active Directory domain to which the computer is joined. However, a computer's PDS may be different than the DNS domain to which it is joined when configured via the Properties dialog box from My Computer.

What is a second-level domain (SLD)?
A second-level domain (SLD) is a domain located directly "below" or to the left of the TLD. In the previous example, wpad.western.corp.contoso.co.us, the SLD is ".co". The most common registration of SLDs is under country code TLDs. The United States primarily uses the SLD for US state registration such as ".co.us" for the state of Colorado for example. Non-US SLDs often reuse common TLD names such as ".com.sg".

What does the DNS devolution feature do?
Devolution is a Windows DNS client feature. Devolution is the process by which Windows DNS clients resolve DNS queries for single-label unqualified hostnames. Queries are constructed by appending PDS to the hostname. The query is retried by systematically removing the left-most label in the PDS until the hostname + remaining PDS resolves or only two labels remain in the stripped PDS. For example, Windows clients looking for "Single-label" in the western.corp.contoso.co.us domain will progressively query Single-label.western.corp.contoso.co.us, Single-label.corp.contoso.co.us, Single-label.contoso.co.us, and then Single-label.co.us until it finds a system that resolves. This process is referred to as devolution. For additional information on the DNS client service and devolution, see the Name Resolution for Single-Label, Unqualified Domain Names section in the TechNet article, TCP/IP Fundamentals for Windows, Chapter 9 - Windows Support for DNS.

What causes this risk?
A malicious user could host a system with a single-label name outside of an organization's boundary and due to DNS devolution may successfully get a Windows DNS client to connect to it as though it were internal to the organizational boundary. For example, if the DNS suffix of an enterprise is corp.contoso.co.us and an attempt is made to resolve an unqualified hostname of "Single-Label", the DNS resolver will try Single-Label.corp.contoso.co.us. If that is not found, it will try, via DNS devolution, to resolve Single-label.contoso.co.us. If that is not found, it will try to resolve Single-label.co.us, which is outside of the contoso.co.us domain.

What are the implications for the queries going outside organizational boundary?
Implications vary depending on the query escaping the organization boundary.

All queries would expose the internal IP addresses. Network clients may exchange credentials with the malicious server. In case the query is for a WPAD server, malicious proxy may be set in the client machines.

Does this update change my current DNS devolution behavior?
Yes. The update checks to see what the domain of the Windows client is and limits DNS queries to within that domain. For more information and examples of the change in DNS devolution behavior, see Microsoft Knowledge Base Article 957579.

Is there a change in user experience after this update is installed?
Yes. After the update is installed, the DNS resolver will only perform devolution to a level based on the domain settings of the Windows client, potentially breaking any applications or configurations that rely on this behavior. For more information on the change in DNS devolution behavior, see Microsoft Knowledge Base Article 957579.

This is a security advisory about a non-security update. Isn't that a contradiction?
Security advisories address security changes that may not require a security bulletin but may still affect customer's overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security.

How is this update offered?
These updates are available on the Microsoft Download Center. Direct links to the updates for specific affected software are listed in the Affected Software table in the Overview section. For more information about the update and the changes to behavior, see Microsoft Knowledge Base Article 957579.

Is this update distributed on Automatic Update?
No. These updates are not distributed over the Automatic Update mechanism. The updates are only available from the Microsoft Download Center. Direct links to the updates for specific affected software are listed in the Affected Software table in the Overview section.

Why is this not a security update that is announced in a security bulletin?
This is a configuration issue. DNS devolution is working as intended and some customers may depend on DNS devolution to legitimately reach assets out of their organizational boundary and treat them as internal assets.

Why is this update offered in a security advisory?
Customers may not know that Windows clients in their environment are using devolution. Devolution could allow clients to treat systems out of their boundary as internal assets and so they are likely to give up credentials, or expose themselves to information disclosure type vulnerabilities.