Bitflips when PCs try to reach windows.com: What could possibly go wrong?

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


Stock photo of ones and zeros displayed across a computer screen.

Bitflips are events that cause individual bits stored in an electronic device to flip, turning a 0 to a 1 or vice versa. Cosmic radiation and fluctuations in power or temperature are the most common naturally occurring causes. Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bitflip within three days.

An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft’s windows.com domain. Windows devices do this regularly to perform actions like making sure the time shown in the computer clock is accurate, connecting to Microsoft’s cloud-based services, and recovering from crashes.

Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip away from windows.com. He provided the following to help readers understand how these flips can cause the domain to change to whndows.com:

01110111 01101001 01101110 01100100 01101111 01110111 01110011
w i n d o w s
01110111 01101000 01101110 01100100 01101111 01110111 01110011
w h n d o w s

Of the 32 bit-flipped values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies normally buy these types of one-off domains to protect customers against phishing attacks. He bought them for $126 and set out to see what would happen. The domains were:

  • windnws.com
  • windo7s.com
  • windkws.com
  • windmws.com
  • winlows.com
  • windgws.com
  • wildows.com
  • wintows.com
  • wijdows.com
  • wiodows.com
  • wifdows.com
  • whndows.com
  • wkndows.com
  • wmndows.com

No inherent verification

Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown on the device clock is correct. What the researcher found next was even more surprising.

“The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that…

Source…