Microsoft has purchased the domain corp.com. First reported by security researcher Brian Krebs, the company confirmed the purchase on Tuesday but didn’t say how much it had paid to acquire the domain. It had a $1.7 million starting price when it was first listed in February by a man named Mike O’Connor who had owned it for about 26 years.
Corp.com was a potential security threat waiting to happen thanks to something known as namespace collision, a situation in which there’s an overlap between an internal domain name and an address out on the internet. In earlier versions of Windows, the default domain name suggestion for admins setting up the company’s Active Directory service was “corp.” The issue here was two-fold. First, Microsoft tied the default suggestion to a real address (the current best practice is to direct people to example.com or example.org). Second, a lot of admins just went with the default suggestion instead of changing the setting.
According to KrebsOnSecurity, a blog run by journalist Brian Krebs, Microsoft has bought the domain from its Wisconsin-based owner Mike O’Connor “in a bid to keep it out of the hands of those who might abuse its awesome power”.
“We released a security advisory in June of 2009 and a security update that helps keep customers safe. In our ongoing commitment to customer security, we also acquired the Corp.com domain,” the company said in a statement.
Mike bought corp.com 26 years ago and hoped Microsoft would buy it someday because “hundreds of thousands of confused Windows PCs are constantly trying to share sensitive data with corp.com”.
“Early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com,” said the report.
In February this year, KrebsOnSecurity told the story of Mike auctioning off domain corp.com for the starting price of $1.7 million. However, he did not declare how much Microsoft finally paid him for corp.com.
Domain security experts call corp.com dangerous because whoever has it would have access to an “unending stream of passwords, email and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe”.
Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called ‘Active Directory’. A core part of the way these things find each other involves a Windows feature called “DNS name devolution”.
In early versions of Windows that supported ‘Active Directory, the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.