It seems like Microsoft has control of a crucial Windows Tiles subdomain that allows websites to send data to the live tiles. The subdomain in question was first set up by Microsoft to work with Windows 8 and was later extended to Windows 10 as well.
The subdomain is a part of buildmypinnedsite.com service that Microsoft deployed with the launch of Windows 8. The subdomain was set up to allow websites to add metadata so it can send data back to Microsoft Edge’s list of pinned websites on the user’s computer. However, the domain was not able to handle the requests and hence Microsoft set up a subdomain notifications.buildmypinnedsite.com which converts their RSS feeds into a special XML format that the Windows Tiles service would parse and create the animated Live Tiles.
Unfortunately, the service broke today. Hanno Böck (via ZDNet) is a researcher who noticed that the subdomain was not registered with Azure. Seeing this, he went in and registered the subdomain on his Azure account.
The host that should deliver the XML files – notifications.buildmypinnedsite.com – only showed an error message from Microsoft’s cloud service Azure. The host was redirected to a subdomain of Azure. However this subdomain wasn’t registered with Azure.
He has already notified Microsoft but hasn’t received any response from the company. He said that he can’t hold it off for too long since the overwhelming traffic on the host is increasing his cost of maintenance.
We won’t keep the host registered permanently. There’s a decent amount of traffic reaching this host and running up costs. Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks.
If he cancels the subdomain, any hacker can register it and reverse-engineer the method to craft malformed XML files that could abuse the Windows Live Tiles service to run code on the computers of users who still have website-based Live Tiles in their Start pages/menus. H