Microsoft loses control over Windows Tiles subdomain
Microsoft has lost control over a crucial subdomain that Windows 8 and Windows 10 use to deliver RSS-based news and updates to Live Tiles --animated Windows start menu items.
The subdomain (notifications.buildmypinnedsite.com) is currently under the control of Hanno Böck, a security researcher and journalist for German tech news site Golem.de.
Subdomain used by websites to deliver RSS news
The subdomain was part of the buildmypinnedsite.com service that Microsoft set up with the launch of Windows 8, and more specifically to allow websites to show live updates inside users' Start pages and menus.
To take advantage of this new feature, websites could add a meta tag to their source code that allowed Edge users to pin a web page to the Start page in Windows 8 and the Start menu in Windows 10.
On the client-side, when a Windows user opened the Start page/menu, their computer would read the meta tag on the desired site and then load content inside the live tiles.
However, because the Windows Live Tiles service couldn't process the multitude of RSS feed formats, ever since its launch, Microsoft recommended that websites use the notifications.buildmypinnedsite.com subdomain to convert their RSS feeds into a special XML format that the Windows Tiles service would parse and create the animated Live Tiles inside the Start page/menu.
Thousands of websites added this meta tag to their code, in the hopes of taking advantage of a new way to reach their readers.
But today Böck said the service no longer works.
"The host that should deliver the XML files - notifications.buildmypinnedsite.com - only showed an error message from Microsoft's cloud service Azure," the researcher said. "The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure."
Böck registered this subdomain on his Azure account and is currently sinkholing any requests it receives. He also notified Microsoft of the issue but said the company did not reply.
"We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs," the researcher said.
"Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks," he warned.
Any threat actor who takes over this domain can use it to craft malformed XML files that could abuse the Windows Live Tiles service to run code on the computers of users who still have website-based Live Tiles in their Start pages/menus.
Böck is also recommending that websites remove the HTML meta tag from their source code, or provide the specially formatted XML files themselves, without sending users over to the notifications.buildmypinnedsite.com subdomain. Some of the sites using this subdomain include Mail.ru, Engadget, BGR, TenForums, Golem.de, Heise.de, and others.
Windows 10 May 2019 Update: The new features that matter most
More vulnerability reports:
- Dragonblood vulnerabilities disclosed in WiFi WPA3 standard
- Tens of thousands of cars were left exposed to thieves due to a hardcoded password
- Kaspersky: 70 percent of attacks now target Office vulnerabilities
- Internet Explorer zero-day lets hackers steal files from Windows PCs
- Microsoft's April Patch Tuesday comes with fixes for two Windows zero-days
- Some enterprise VPN apps store authentication/session cookies insecurely
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic