It doesn't seem so long ago that one of Microsoft's marketing phrases was "Where do you want to go today?"

Now, it seems the phrase is "You'll go wherever the hell we decide you can go, and like it!"

You bought and paid for your computer running Windows 8, but you don't own it because you can't control it.

Gawd i love this place!!!

Rotfl!!!!

woodsmoke

Yeah, that's where my Win 8 VM went too -- before I ever knew about this crappy "feature". I wonder how much Zuckerberg paid MS for that one?

Talk about kicking and shoving users toward open source!

The comments to the ghacks article are ... well, some are just stupid, but some make me think.

One commenter agrees with another comment that's pure vituperative bile, but then says this:
If there are any security experts here ... how true is the claim "hosts redirection is a common attack vector"?

No need to comment on whether changing the file, for selected hosts only, has any bearing on such a risk.

(I look forward to the day when someone says "go Microsoft for not allowing userspace programs to edit system files at all without the user re-authenticating".)

Later
Maybe it and other moves like it will dent the acceptance of Windows 8, but no company (I hope) replies on the hosts file - external firewalls are the thing.

Do you think Windows 8 would have been designed this way if Mr William Gates was still running the business on a day to day basis?

@SecretCode: this has nothing to do with security. It's true that some malware can change the hosts file (or could, I don't do that much Windows security anymore). But malware simply writes a new hosts, or adds entries in it. That's one way to block you from going to antimalware-sites for cleaning up, help, etc., or to redirect you to some spooky site.
But since Windows 7 (so also in 8 ) that's much harder, because you need administrator rights to change the hosts file. In XP you need that too, but everybody runs that in administrative mode, because otherwise it's unworkable.
If I understand SteveRiley well, only that two entries are removed. (Maybe more, I guess SteveRiley doesn't have every possible entry in his hosts). That has nothing to do with security. Removing such an entry from the hosts file (I suppose it's redirected to 127.0.0.1 or something like that) has only one purpose: to make it impossible to block that address. So Microsoft forces you to give data to facebook/ad.doubleclick.net/...

Hmmm. I decided to read the article SteveRiley linked to. Should have started with that, before writing something... It turns out this is probably a bug in Windows Defender. I should have known better, because ad.doubleclick.net is owned by Google, so why should Microsoft help Google make money?
This kind of bug has been happening before, but it's really an unbelievable stupid bug. Didn't happen for years. Some antimalware-programs etc. check the hosts file for redirects. That's to protect you from being redirected. In the past some programs didn't check the right way and removed every instance of a name. Even if it was there to protect you. It seems Microsoft has managed to get this really stupid error in Windows Defender. Even if ad.doubleclick.net is in the hosts to protect you, remove it. Google will be happy!
In this case I believe it's a bug, because Microsoft has no interest in helping Google.

Another edit: there are other ways to block things like ad.double.click etc. In Firefox you have extensions like Do Not Track+, adblock, etc. I guess they exist for other browsers too. As far as I know there's no way to manipulate those extensions. But a site can always block you if you don't allow them to set cookies, to connect with some adware-site, etc.

That's Steve's point.

Was it accidental?

Err... because Google paid them to remove it?

I don't think it can be dismissed as a simple bug, but that does make a convenient excuse when the removals were noticed. We will be able to tell if it was a bug IF Microsoft "fixes" that bug and allows users to include facebook.com and ad.doubleclick.net in their hosts file. Otherwise, it is not a bug.

And, Microsoft does have an interest in making money.

I programmed apps for Windows for years and used regular expressions to parse text files for various reasons. Using regular expressions to search text files for patterns is a well grounded technology. Complicated at times, but not rocket science. One always uses test case files. Unless MS had given up on hiring professional programmers and is hiring rookies to save money, they tested their algorithms to make sure the hosts file didn't contain domains related to their financial interests.

Windows Defender is obviously searching the hosts file for known malware domains and removing them. Being an investor in Facebook, Microsoft has that horse in the race. MS uses ad.doubleclick.net to serve its own ads as well, so it has a second horse in the race as well.

Knowing Microsoft's past ethical and greedy behavior, I have no troubling believing that MS removed both the facebook and the ad.doubleclick.net domain names for financial reasons.

The claim is not without merit. Infecting the hosts file has been one avenue for enabling other attacks to succeed. But this route isn't so popular anymore: the file is owned by SYSTEM, only those in the Administrator group can change it, and most modification attempts will trigger a UAC consent (one that won't do so is an Admin human intentionally editing the file).

The comments in the source article mention another domain that will be removed if its presence is detected. I don't recall which at the moment, though. But the stated reason for doing this is, in fact, to thwart certain malware from hijacking popular domains, regardless of whether Microsoft owns the domain. It is not a bug in Defender.

I suppose the possibility of this being true is greater than zero percent

Maybe I'm to naive. But if Microsoft is doing this by purpose it's so unbelievable stupid, I hardly can believe they do it this way. Lots of people use the hosts file, so it's for sure this is noticed.
Since Microsoft owns the os completely, I guess they have much more secret ways they can do this. And, as far as I know, they don't do anything with things like adblock or Do Not Track, much more popular then the hosts file.

I found on some sites Google, Yahoo, Twiiter, and some other entries are also removed. If they do this on purpose, to make money, it's of course completely wrong etc.
If it's indeed a 'feature', it's the most stupid security feature I've ever seen. It's very easy to see if those entries point to 127.0.0.1. If that's the case, there probably is no reason to remove them. If those entries were added through malware, there have to be more indications the machine is infected. Windows Defender should check for those indications before removing this entries.

I shouldn't be too surprised if it's just for the money. But it's such a stupid way even the makers of Windows have to be able to find a smarter way, I guess.

It isn't uncommon for Microsoft to start with a blunt mechanism and then fine tune it later. A future improvement might be indeed to check what the redirection points to.

Do you have a source for this?

I should have given the source right away, of course. Here it is:
http://hexus.net/tech/news/software/...-ads-facebook/
The original site is in German, but I guess most people here prefer English.

Yeah, that's right, Microsoft starting with an ax changing it slowly to a kitchen knife. I sometimes still wake up screaming when I've had a bad dream of the first incarnation of Windows Defender, or whatever it was called a few years ago. Don't know how it's working at the moment (apart from changing the hosts file). Microsoft Defender, McAfee and Norton/Symantec: three anti-virus that behaved like malware themselves. Don't know how McAfee and Symantec are at the moment. Well, they had one very good department: marketing.

If I remember correctly you can block adds in messenger using the host file. Maybe that is the reason for this.