Slashdot Mirror
WebTV Security Hole
Fillup writes "According to this article from Wired News, the ever-so-security-conscious Microsoft has overlooked yet another major privacy and security issue." Basically the bug allows sending of email from unknowing WebTV surfers. Amusing that they're using it to spam the abuse email address, but its a definite concern.
Wanna place a bet on when the first major Open Source security fuckup will happen?
Too late, sendmail's been the poster child for hideously insecure Open Source software for years. Granted, in maybe the past two, it's improved dramatically in that regard.
DNA just wants to be free...
I agree, this is a story to let people laugh/scream at MS.
But the hole you pointed out has major differences to this article.
o This article is about a bug that was originally a 'feature' designed to track users.
o MS has been aware of the exploit since September, and done nothing.
o There are many real exploits actually being used. This is not just a theoretical security risk.
o WebTV is marketed to people who don't understand computers at all, and probably don't even own one. There is no way for them to fix bugs. Since MS/WebTV has asked the customers to put complete faith in them, it is 100% MS/WebTV's responsibility for this fundamental design failure.
The security hole you linked to
o HAS ALREADY BEEN FIXED
o didn't affect all users
o had viable workarounds even if the code hadn't been fixed
o was the result of a bug, not a fundamental design failure. Bugs are unavoidable. Stupid things like intentionally extending certain standards to allow a web page to send e-mail 100% as if it were the user viewing the web page is just stupid and should never have made it past the Detailed Design Document.
This article does have a purpose, however. MS has ignored this serious privacy/security issue for MONTHS!! They've clearly demonstrated that they are sitting on their thumb about this, and therefore the only way to get them to move is some good old-fashioned bad publicity. I doubt we have many WebTV users reading Slashdot, but publicity also warns the WebTV users about the problem.
(I am NOT an advocate of "let's make M$ fix the problem by exploiting some poor SOB who happened to choose Windows for some reason")
MSK
Hmmm.. I can now send email, automatically, from any WebTV account.. Perhaps I will hack together a small bit of code to 'spam' the USPTO, before some dishonest SIG gets their hands on it and uses it to spam Congress with 'Fire Janet Reno! Drop the monopoly charge against Microsoft'.
Guess the Special Interest Group!
.sig: Now legally binding!
Patient: Doctor, Doctor, it hurts when I do like this!
Doctor: Then don't do like that!
Now THAT's what I call an effective security fix. If you find a security hole, just tell your customers not to do anything that might take advantage of it! Piece of cake!
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!
Since this is the first major security hole I've heard about, maybe this will convince others that WebTV isn't all it's cracked up to be. If you add up the cost of a WebTV unit, a DVD player, and a home theater system, you will find that a comparably equipped computer (with TV output) could be purchased for the same/nearly the same price, and it would be able to the same job and more than it's counterparts.
-----
I dunno if you read the link from that news site, but here's a direct link with more info:
:-)
http://net4tv.com/voice/story.cfm?StoryID=1823
A few tidbits:
First, it's a code which is interpreted by the box to send an e-mail to anywhere, automatically. It's intentional. Essentially, it's an e-mail reciept system that has WAY too much power.
Quote:
"The code, which is being embedded in posts in WebTV's alt.discuss newsgroups, emails and web pages, directs any WebTV box that loads the page to send an email message to an address set in the code. The code executes "in the background;" users who have sent the mail do not see any indication of mail being sent, and only find out about it if they receive a reply or look in their Sent Mail folders. "
Since WebTV treats everything as a web page (dumb) it runs this thing every time you look at the page.. Some of these e-mails use another code to keep people from forwarding the e-mail using the webtv box.
In other words, it's not a bug, it's a feature.. The feature from hell.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Caveat: I worked for WebTV in operations until early December (when I quit to start up a linux-related company. Yay.) I'm not going to reveal any deep company secrets, though.
This is not terribly surprising to me. WebTV is a very unusual ISP. There are a lot of behind-the-scenes tricks and features that take advantage of the fact that they control the hardware and software of their users. Some of them are very good. (For example, on each connect each box reports data on failed dialing attempts. By aggregating these, they have a really interesting picture of all the pops that their ISP partners are letting WebTV boxes into, including when busy signals occur, when outages occur (since the WebTV box gets in through a different pop on failure and can still report), when there are radius authentication issues, and so on. It's not uncommon for WebTV to know a pop is down before the ISP that owns it is - which is no knock on the ISP, it's kudos for making a powerful feature that normal computers don't have.)
But while some of the features are really useful, and most are innocuous, there's a fair amount of stuff out there, like this, that was never intended for the public at large and can be easily abused. There are certainly WebTV users that are far more clever and malicious than one would expect, and they've exploited a number of bugs throughout the years.
Historically, WebTV has actually been pretty good internally about fixing these things. The operations team really does care, from experience, and beats on engineering until they get a fix. It is easy to distribute patches to the service (the internal machines.) It's a bit more work, but not a big deal, to offer users a patch that automatically installs to their own boxes if something needs to be done on that end, but those kind of bug fixes tend to be put on hold until features are being rolled out unless it's a serious bug, since users complain A LOT if they download an upgrade and don't see anything different.
I don't think this means much to the slashdot crowd, other than some cheap Microsoft bashing. It's a real bug, which is a product of a complicated proprietary system, and will almost assuredly be fixed pretty easily. (Don't ask me why someone thought this feature was a grand idea, mind you.)
I personally don't think the set-top box has much life left in it as a replacement for a personal computer. PC prices have plummeted since 1996, when WebTV looked much more attractive. The ease of use and maintenance of an appliance is nice, but only goes so far. However, don't think that WebTV doesn't know this. They're really strongly pushing interactive television (both in ads, and back on the TV industry to create more of it.) They've already got digital VCR capability in the sattelite models (much like TiVo and replay tv. It was actually almost on the market for WebTV when these showed up.) I speculate wildly that it makes sense to have something WebTV going along with Microsoft's X-Box when it ships - WebTV was part of the Dreamcast in Japan (but not in the US.) WebTV also really wants to be in cable boxes - they've announced a deal with Rogers in Canada.
The bad news is that if they win, we won't have a likelihood of open standards, and the interactive television market will be another Microsoft market. But the game is certainly just beginning. It'll be interesting to watch. It's clear to me that interactive TV will be a Big Thing, and pretty soon, and WebTV will be a player, and has a good chance at being the big player.
Okay, I rambled.
-- Kate
She (Laura Buddine) said the code was originally written by a WebTV employee as a means of tracking people who visited the site but has since turned into a tool for ne'er-do-wells.
They wrote the code that is creating the problem... This is not the first time that an (soon to be ex if not already)-employee has created a major problem for his company. Still I think most security holes (about 98%) are not created by the company that makes the product.
This also is not new.
According to Laura Buddine of Iacta.com, the parent company of Net4TV, the code was first made known to the hacker community in September, but has become widespread during the last week.
It just has become widespread, I wonder why they didn't do anything about it when it was discovered last september? Hmmm... if this was not Microsoft, the problem would have been fixed right away, but given that it is, it probably will take years for a working fix to be released.
And lastly...
Malicious programmers have been embedding the HTML of Web pages...
That makes it sound far more of a webpage problem than a newsgroup problem, and they say not to visit a SINGLE newsgroup? IQ Test Plz....
Is it progress if a cannibal uses a fork?
It is important because it may be the first case of a real security issue arising from a non-PC device.
People tend to approach PCs with a bit of concern because of a long history of viruses, while black-box items like stereos and TV's are "clean" devices.
If the future of electornics means an IP on everything, then security will need to become a much bigger issue.
-cwk.