Microsoft Corporation in a bid to save its corporate clients potential security-related headaches down the road has purchased the domain corp.com from a private owner for an undisclosed sum.
According to KrebsOnSecurity, a blog run by journalist Brian Krebs, Microsoft has bought the domain from its Wisconsin-based owner Mike O’Connor, who had bought corp.com 26 years ago, was auctioning the domain off for a starting price of $1.7 million.
The problem with the domain is that anybody with access to it could potentially have with passwords, email and other sensitive data from Windows PCs in companies where admins used a generic domain name (corp.com) to represent the idea of any domain when setting up Active Directory.
“We released a security advisory in June of 2009 and a security update that helps keep customers safe. In our ongoing commitment to customer security, we also acquired the Corp.com domain,” the company said in a statement.
The “namespace collision” is a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.
“Early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com,” said the report.
In February this year, KrebsOnSecurity told the story of Mike auctioning off domain corp.com for the starting price of $1.7 million. However, he did not declare how much Microsoft finally paid him for corp.com.
Domain security experts call corp.com dangerous because whoever has it would have access to an “unending stream of passwords, email and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe”.
Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called ‘Active Directory’.
A core part of the way these things find each other involves a Windows feature called “DNS name devolution”.
In early versions of Windows that supported ‘Active Directory, the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.
“In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain,’ the Krebs report elaborated.
Over the years, Microsoft has released several software patches to help tackle “namespace collisions”.