Slashdot Mirror
WebTV Security Hole
Fillup writes "According to this article from Wired News, the ever-so-security-conscious Microsoft has overlooked yet another major privacy and security issue." Basically the bug allows sending of email from unknowing WebTV surfers. Amusing that they're using it to spam the abuse email address, but its a definite concern.
A Slashdot report on a security hole in WebTV, whose only value is to make Slashdot readers go "gee another microsoft hole".
Where's the report on this hole which actually affects most of the readers of this site? Are Microsoft bugs more important to Slashdot readers than bugs in Linux?
this just recently came up on the spamcop newsgroup... a quick look at how it works and I've already come up with at least a handfull of very nasty potential exploits, not to mention some of the stuff that's already being done. The whole thing just screams that there was NO thought given to security in the design of WebTV's mailto: url extensions. I wonder how many more of these gems are ticking away under the covers of systems like these?
In addition to being able to generate emails without the user's knowledge, the code can be engineered to forward emails from sent mail or saved mail folders.
This is the part that concerns me. It would be easy to catch someone who was using a malicious web page to spam. (find the source webtv address, ask them to check their history, sooner or later you'll find the offending page.) Finding someone who was using a malicious web page to read WebTV users' sent or saved mail folders might be a different story.
Thank you for not thinking.
you said, and the article said, that the WebTV people could download updates to the WebTV users instantaneously to fix any bug.
How secure is this??
would it be possible for me to somehow, maybe because i have a router between the webtv user and the webtv server (this is totally hypothetical) (can webtv connect over LAN?) figure out exactly what kind of communication goes on between the user and server, then somehow spoof packets from the WebTV server towards random WebTV users such that the webtv believes it is downloading an update, but is instead downloading some malicious software..?
This is somethign i've always wondered about auto-upate, but i assume some kind of security happens in most auto-update programs because they are things like operating systems, virus update programs, etc., that would be very easy to reverse-engineer and therefore have a great need for that kind of security..
WebTV meanwhile has no such need for security and thus doesn't seem quite as likely to have the security there. Also the way people have talked about this has implied the downloads are initiated by the server, not the client, which if so is very odd, and a lot easier to fake. If the downloads are initiated by the client i don't know how you'd be able to do anything, again unless you had a router between the webtv and the webtv server.. and if you're that close to the webtv you can probably just go over and beat the crap out of it with a baseball bat anyway.
ok now i'm curious.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
First of all, this isn't a major security hole. All it does is allow someone to send email as you. While that would cause you or me to totally flip out, that's not a big concern to most people and certainly not to those who use WebTV.
My office has 1,200 users each with Windows NT and Outlook. I can tell you that fewer than 20 of those lock their workstation or logout at lunch. Anyone can use their mail client to send nasty messages. Does anyone care? No.
Which brings me to my grandmother. She's 78 and very open minded. She, however, didn't get a VCR till 1996. She was not and is not a candidate for a computer.
My grandmother got a WebTV for Christmas of 1998. She uses it twice a day (morning and night) to exchange email with her children and grandchildren.
It used to be that she got pictures of the family three or four times a year. Now, if I take digital pictures of a weekend BBQ, I can send them to her and she can see how the great-grandkids are growing.
Some will argue that a PC could have been configured just as simply as the WebTV. Yeah, you may be right. But for under $400, she was on the web in under an hour. And when she needs support, she calls WebTV and not me.
You won't find all of that in a PC-based solution that my grandmother would be happy with.
InitZero
Now THAT's what I call an effective security fix. If you find a security hole, just tell your customers not to do anything that might take advantage of it! Piece of cake!
.. you're ready to go.
But that's pretty much par for the course. Remember when the Pentium F0 0F bug was discovered? Microsoft's advice: "Don't run executables you don't trust." Well, okay. Given the situation, that's about the only advice that they really could give. But it's worth noting that Linux and all of the BSD derivatives had released a workaround patch within 48 hours. It was the difference between "Don't do this" and "It doesn't matter if you do this."
This is one of the areas where open source wins big. You don't have to wait for a software provider to come up with some sort of a proprietary, black-box, binary "Service Pack" to fix a problem. When you get that pack, you don't have to worry about whether or not installing it is going to clash with something else and cause even worse problems. All you've got to do is download and apply the source patch, rebuild and voila
Anyway, it will be interesting to see what kind of fix they come up with for this.
We're going down, in a spiral to the ground
it probably will take years for a working fix to be released.
Is a fix possible without a recall? I mean this is a WebTV we are talking about.. is it a problem in a rom?
Jeff
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
what's frightening is the reason this security hole exists:
"the code was originally written by a WebTV employee as a means of tracking people who visited the site"
Maybe it's time for an open-source settop box OS/browser ......
The last thing I want is to wire all my appliances together. Hunderds of thousands coders can't even even the most worked on OS safe from even script kiddies, you're crazy if you want to invite such deviants into your Pink Flamingos playing VCR.
I really hope the wet dream of IP fantasy proves itself to not only be unfeasible but stupid. How much more lazy is the poplulace going to get if they need to call their VCR to record something instead of firing 10 neurons and remember before the leave to house to program the thing?
Does you cousing in Hobokon really need to know the temperature of your toaster oven?
If anything, a wired house, if one really wants one, should be connected to its own little computer and never connect to any WAN. Those that don't like this setup setting themselves up for a very nasty fall.
Actually, not everybody knows. The people making the attempt to fix the cheating in quake have a closed source solution. Find it here
Sosumi. just kidding. DONT!
My bad on the Viacom thing, I screwed that up, but at least the basic premise still stands.
If you win a lawsuit against WebTV, WebTV pays, not MS. Although MS owns WebTV, WebTV is still a seperate company. WebTV could go bankrupt, and that wouldn't mean MS is bankrupt.
People seem to confuse being owned by a company with merging with a company. If two companies merge, they become on company. There is no more them and us, only us. If a company "buys" another company, all that means is company A owns a controlling interest (usually 51% of the stock) in company B. They are still two seperate companies.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
I (and Linus, appparently) view this as a dist problem rather than a Linux problem. You can tweak the kernel to make buffer overflows much harder, but Linus doesn't want to do that because there are uses for an executable buffer and it's the applications rather than the kernel that should be fixed.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I think that a bigger issue could come in if people start sending flame mail to people and then try to pass it off as someone having exploited that security hole. This will enable anyone to just send a piece of hate mail and then blame someone else for it claiming that there was no way they could have known it happened and it couldn't have been them.
-----
so there should be no need for a recall.
Hidden Win2K Menu
Wanna place a bet on when the first major Open Source security fuckup will happen?
Too late, sendmail's been the poster child for hideously insecure Open Source software for years. Granted, in maybe the past two, it's improved dramatically in that regard.
DNA just wants to be free...
MSK
Hmmm.. I can now send email, automatically, from any WebTV account.. Perhaps I will hack together a small bit of code to 'spam' the USPTO, before some dishonest SIG gets their hands on it and uses it to spam Congress with 'Fire Janet Reno! Drop the monopoly charge against Microsoft'.
Guess the Special Interest Group!
.sig: Now legally binding!
Patient: Doctor, Doctor, it hurts when I do like this!
Doctor: Then don't do like that!
Now THAT's what I call an effective security fix. If you find a security hole, just tell your customers not to do anything that might take advantage of it! Piece of cake!
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!
Since this is the first major security hole I've heard about, maybe this will convince others that WebTV isn't all it's cracked up to be. If you add up the cost of a WebTV unit, a DVD player, and a home theater system, you will find that a comparably equipped computer (with TV output) could be purchased for the same/nearly the same price, and it would be able to the same job and more than it's counterparts.
-----
I dunno if you read the link from that news site, but here's a direct link with more info:
:-)
http://net4tv.com/voice/story.cfm?StoryID=1823
A few tidbits:
First, it's a code which is interpreted by the box to send an e-mail to anywhere, automatically. It's intentional. Essentially, it's an e-mail reciept system that has WAY too much power.
Quote:
"The code, which is being embedded in posts in WebTV's alt.discuss newsgroups, emails and web pages, directs any WebTV box that loads the page to send an email message to an address set in the code. The code executes "in the background;" users who have sent the mail do not see any indication of mail being sent, and only find out about it if they receive a reply or look in their Sent Mail folders. "
Since WebTV treats everything as a web page (dumb) it runs this thing every time you look at the page.. Some of these e-mails use another code to keep people from forwarding the e-mail using the webtv box.
In other words, it's not a bug, it's a feature.. The feature from hell.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Caveat: I worked for WebTV in operations until early December (when I quit to start up a linux-related company. Yay.) I'm not going to reveal any deep company secrets, though.
This is not terribly surprising to me. WebTV is a very unusual ISP. There are a lot of behind-the-scenes tricks and features that take advantage of the fact that they control the hardware and software of their users. Some of them are very good. (For example, on each connect each box reports data on failed dialing attempts. By aggregating these, they have a really interesting picture of all the pops that their ISP partners are letting WebTV boxes into, including when busy signals occur, when outages occur (since the WebTV box gets in through a different pop on failure and can still report), when there are radius authentication issues, and so on. It's not uncommon for WebTV to know a pop is down before the ISP that owns it is - which is no knock on the ISP, it's kudos for making a powerful feature that normal computers don't have.)
But while some of the features are really useful, and most are innocuous, there's a fair amount of stuff out there, like this, that was never intended for the public at large and can be easily abused. There are certainly WebTV users that are far more clever and malicious than one would expect, and they've exploited a number of bugs throughout the years.
Historically, WebTV has actually been pretty good internally about fixing these things. The operations team really does care, from experience, and beats on engineering until they get a fix. It is easy to distribute patches to the service (the internal machines.) It's a bit more work, but not a big deal, to offer users a patch that automatically installs to their own boxes if something needs to be done on that end, but those kind of bug fixes tend to be put on hold until features are being rolled out unless it's a serious bug, since users complain A LOT if they download an upgrade and don't see anything different.
I don't think this means much to the slashdot crowd, other than some cheap Microsoft bashing. It's a real bug, which is a product of a complicated proprietary system, and will almost assuredly be fixed pretty easily. (Don't ask me why someone thought this feature was a grand idea, mind you.)
I personally don't think the set-top box has much life left in it as a replacement for a personal computer. PC prices have plummeted since 1996, when WebTV looked much more attractive. The ease of use and maintenance of an appliance is nice, but only goes so far. However, don't think that WebTV doesn't know this. They're really strongly pushing interactive television (both in ads, and back on the TV industry to create more of it.) They've already got digital VCR capability in the sattelite models (much like TiVo and replay tv. It was actually almost on the market for WebTV when these showed up.) I speculate wildly that it makes sense to have something WebTV going along with Microsoft's X-Box when it ships - WebTV was part of the Dreamcast in Japan (but not in the US.) WebTV also really wants to be in cable boxes - they've announced a deal with Rogers in Canada.
The bad news is that if they win, we won't have a likelihood of open standards, and the interactive television market will be another Microsoft market. But the game is certainly just beginning. It'll be interesting to watch. It's clear to me that interactive TV will be a Big Thing, and pretty soon, and WebTV will be a player, and has a good chance at being the big player.
Okay, I rambled.
-- Kate
She (Laura Buddine) said the code was originally written by a WebTV employee as a means of tracking people who visited the site but has since turned into a tool for ne'er-do-wells.
They wrote the code that is creating the problem... This is not the first time that an (soon to be ex if not already)-employee has created a major problem for his company. Still I think most security holes (about 98%) are not created by the company that makes the product.
This also is not new.
According to Laura Buddine of Iacta.com, the parent company of Net4TV, the code was first made known to the hacker community in September, but has become widespread during the last week.
It just has become widespread, I wonder why they didn't do anything about it when it was discovered last september? Hmmm... if this was not Microsoft, the problem would have been fixed right away, but given that it is, it probably will take years for a working fix to be released.
And lastly...
Malicious programmers have been embedding the HTML of Web pages...
That makes it sound far more of a webpage problem than a newsgroup problem, and they say not to visit a SINGLE newsgroup? IQ Test Plz....
Is it progress if a cannibal uses a fork?
It is important because it may be the first case of a real security issue arising from a non-PC device.
People tend to approach PCs with a bit of concern because of a long history of viruses, while black-box items like stereos and TV's are "clean" devices.
If the future of electornics means an IP on everything, then security will need to become a much bigger issue.
-cwk.