Slashdot Mirror
Possible RSS Abuse in Longhorn
dMill writes "There has been a lot of discussion about Microsoft's decision to bake RSS into Longhorn (see previous Slashdot coverage) but the obvious security implications seem to be on the back burner. eWeek has a story discussing the risks and Don Park is also warning about the potential for abuse and exploitation. For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."
Well, I never!
Note to mods: I'm probably being sarcastic.
let's not be obtuse - we know there are vulnerabilities, MSFT just doesn't want to fix them in a way that won't let them steal the underlying patents from the public and others.
[caveat - I own MSFT stock]
-- Tigger warning: This post may contain tiggers! --
Worse than worms?!? Worms can get into your system, slave it, erase or steal data, slow it down, advertise to you, and any number of other things! What's worse than lost data, identity theft, popups, and a slow computer? Strangulation via TCP/IP?
~Will
sig?
Especally in light of this previous article.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
I guess OS X must be REALLY insecure then.
There is a big difference between RSS being a security risk and a bad implementation of an RSS reader and poor security model being insecure.
I don't see what the big deal is with RSS, who really cares about it anyway? -------------------- Rocky Triton http://www.dreamsyssoft.com/
When are we going to stop acting like each new protocol or application vulnerability is a new thing? Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
...cause Longhorn is going to be built on secure .Net technology......oh wait....nevermind. :-)
Coder's Stone: The programming language quick ref for iPad
in case the articles get nuked:
9 ,1833035,00.asp
r k/EntryViewPage.aspx?guid=1bedfa3f-e67f-4d78-8b2d- cff3a9ccf90a
http://www.eweek.com.nyud.net:8090/article2/0,175
http://www.docuverse.com.nyud.net:8090/blog/donpa
Handy little caching service.
anime+manga together at last.. in real time.
MS loves to integrate things deep into their OS and infrastructure so you can bet RSS support will be yet another security hole for them and everyone else to deal/live with. I wonder how firefox, Safari or iTunes is mitigating the risk on their stuff?
I was actually going to read the eweek article, when this stupid little div popup appears, complete with candy-ass XP style close button. No thanks.
I have two eyes, I have two feet.
What retard decided to put binary data in RSS? Or would allow execution of code linked to by an RSS feed? That is truly the most retarded thing Microsoft could have done with regards to security. It's like a condom with the capability to have semen smeared on the outside. Utterly fucking stupid.
By summer it was all gone...now shesmovedon. --
Oh I see,
Don Park is warning!
Glad to hear what Don Park has to say about this story.
I love Don Park, I read every word he writes!
WHO THE FUCK IS DON PARK?
RSS is a transmission vector. Data can get onto your system through RSS in the same way it can get onto your system through email, through floppy disks, through web browsing, and so on.
Wherever there's a transmission vector, there's possibility for infection if applications that consume that data are insecure.
So basically, this "possible abuse" warning is simply saying "You know those applications that suck up lots of untrusted data? If they are insecure, you may have problems!" Sorry, but there's nothing new here.
In fact, having it built into Longhorn could reduce the likelihood for security holes. All the RSS-consuming applications use their own home-grown parsing routines right now. Switching to one shared library means there's only one place for vulnerabilities to arise in this respect, and when each vulnerability is fixed, it will be fixed for all the applications at once.
On the other hand, this is Microsoft that is writing the shared library, and we all know how secure their coding is. Internet Explorer hasn't had any meaningful updates for four years, and they are still finding holes in it on a regular basis - which means that every application that embeds Trident (Internet Explorer's rendering engine) are constantly in a state of insecurity. It all comes down to the benefits of shared libraries versus the incompetence of Microsoft.
This is one reason why Microsoft is looking at purchasing Claria? The guys over there are probably pretty good at finding vulnerabilities by this point.
--------
This isn't the sig you're looking for. Move along.
Many businesses are still content with Windows2000; and see little reason to upgrade to Longhorn. One of the easiest buttons to push to get a CFO to approve upgrades is finding security holes in the old systems.
As long as Microsoft's business model is so dependant on bleeding it's existing customers until they're dry; I don't think it's really in their interest to stop security holes. Of course they don't want to launch Longhorn with a bunch of old IE holes that are already exploited, so they need to find new areas for this. Slowly adding new holes like RSS; where the holes may not be found for many years is perfect for the upgrade plan.
[yes, it was a troll; but I think there's a truth to the fact that security weeknesses in Windows is a major driver of upgrades]
RSS abuse has gone on far too long. It may seem unthinkable to some people who long for an RSS of their own (but have had to adopt), but some people do abuse RSS.
If you see your RSS feed has some broken links or other irregularities, report it immediately to your sys admin -- even if the RSS explains it away as random line noise or CRC errors. Protecting one's abuser is a sign of continued abuse.
Only YOU can help stop RSS abuse!
This would be a great opportunity to address the security concerns over RSS in very big lab. Using Longhorn as a test platform and counting on Microsoft's dominance of the desktop market might provoke positive reactions from AV and seurity software developers.
Am I correct to understand that the difference between RSS as found in Tiger and Longhorn is that the latter integrates it directly into the OS, versus the former which has RSS as a seperate component? If this is true, what sort of moron ... oh, never mind. Obvious answer to that question ;)
...decision to bake RSS into Longhorn... ...on the back burner.
No wonder MS says they can't remove things like IE from the operating system; They cook it all together!!!
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
I see the comments are already filled with "What do you expect its microsoft!!!" and "Hah! hacked b4 its out!!!" comments... This is just speculation about a potential vulernability, in a feature that is not even in a beta in an OS that is not even in beta. Cripes, at least wait until it's out before rushing to any judgements...you know you all use Windows anyways.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
People have some predefined conceptions and opinions when it comes to Microsoft products. Being crappy, buggy and insecure are some of the deep-rooted features. We just can't say "No" to them. Come on Longhorn guys - I want features that might burn down my computer :)
More seriously, by the time Longhorn actually gets released, the world might have passed RSS by. Either that or there will be several third party applications that will do something similar to what Microsoft hopes to do that will have already been released for XP.
Additionally, even if Microsoft does make an application that is buggy as all hell and hands every virus on the web free access to your machine, you don't have to use it. Unless, of course, Microsoft is tricky and builds it into IE. Even then you don't have to use IE.
So what if people are speculating about how bad this software will be and how insecure it could potentially be. If you don't use any of it, you really don't have to worry about it.
Microsoft has to continually introduce half-baked, insecure, and extremely-hard-to-secure technologies into Windows. Otherwise we would not be forced license Latest-annoyance Scanner 200x which eats up gobs of RAM, bandwidth, disk space, and CPU time. Without this motivation we might all be happily surfing the web on a Pentium 120 running Windows 95. Microsoft's continued licensing revenues depend on them being able to slow your PC bit by bit. The HW manufacturers do something similar but they do it by changing formats of everything so you can't upgrade your old computer since you can't find parts for it at a retail store.
In 1999 people discussed the security problems of ActiveX. 3 years later MSFT was having a nightmare over those said same problems.
Embrace Extend poorly, an extinguish everything seems to be MSFT's philosophy.
MSFT wants locking so badly it forgets to look for the simple errors.
i thought once I was found, but it was only a dream.
We'll get to test this in what........2 years? Maybe more? I heard OSX might threaten linux, any creedence to this?
-Randy
That's the whole point behind it. If the RSS interface is built entirely in .NET, then there's no security problem.
?
If you can describe a mechanism by which fixing a bug in my code can result in me owning a patent I'd love to here about it.
Software patents are pure evil, but they've got nothing to do with this.
Never trust anyone with an id greater than 889388
Microsoft keeps adding stuff to Windows that allows external programs to initiate activity from the network. Windows Messenger Service. Universal Plug and Play. Windows Update. Active Management. AutoPlay. Now, RSS. And they consistently have them turned on by default. This guarantees a large supply of future security holes.
In ten years, they haven't even been able to secure Outlook.
Can't MS just develop a specific API for people trying compromise windows machines, it would be less work for everyone.
Floppy disks, hot swap drives, CD/DVD-Roms, thumb drives, jaz/zip/spark drives, internet connections, etc, can be used to deliver worms and worse to the desktops. The point is not that RSS is a security vulnerbility, but that the OS and related sub systems must be up to the task of preventing the bad things that come across from doing damage. -Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Anyone who's been using rssreaders will already be aware of this. The guys behind the excellent Rssowl disabled 'execution of active content' quite some time ago. So if you executed some unknown quantity whilst reading Dilbert, it was your own fault (for not vetting the source of the feed in the 1st place). The average PC is already filled to the gills with xml configuration files. As long as the developers and eventually the users don't do something silly...Doh!!!
I don't know the key to success, but the key to failure is trying to please everybody. Bill Cosby (1937 - )
In other news Internet Explorer automatically downloads pictures linked to in HTML. Images could contain worms. And be executed by possible buffer overflows when image is displayed. Personally I would love rss intergration for most programs, an easy way to integrate things like changelogs in newer version notifications to decide if updating is worth it, etc etc. I have a feeling lots of cool stuff could be done with this power. I am all about delivering content formated how you want it, where you want it, when you want it. Microsoft looks like its on the right direction here.
I also spotted the IF in "If there are any vulnerabilities in iPod". Come on peeps, this is a non-story, every piece of code in every service running has a huge great IF attached to it. What IF ssh has a buffer overflow bug!? Oh, I hear you say it could never have? Were you saying that in August 2003?. You can take it for granted bad code WILL be found in RSS streaming clients, and to integrate them into a system with high level privilages, and without years of testing is extremely foolish.
I barely use it to collate doings on the web and look at the skimmings on my Yahoo home page. It merely takes up space on Trillian and I don't even use it there. I can't think of anywhere else I bother. The only thing I can think of this being any good for is the aformentioned headline collecting and for web sites to automate their advertising yet another way.
Does every new webified format have to generate all the buzz it does? Or is it just because it touches on the (currently) new hotness iPod and podcasting?
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
RSS enclosures can move anything. Corrupt the underlying XML (or the data it is trying to move in the enclosure) and all your victims will pull it onto their desktops automatically. An analog is having HTML email and using a preview pane. You wouldn't do that, but RSS enables it. Got a PDF that exploits an Adobe vulnerability? Add it as an enclosure. Got an image? Same deal. Got a zip? Go ahead. It's not just the currently trendy podcasting and audio files that pose threats. Worse yet, there are many RSS clients our there, not just a few (unlike browser or email). Many opportunities to find holes. Most clients use IE to render the HTML, so there's also the risk of phishing, embedded script, moveable code and other standard HTML malware. What are the vendors doing to mitigate this? Good question. Anyone from feedburner, say, care to comment?
RSS doesn't stand for Really Scary Security - yet. MSFT just made it a much richer target - let's save the guesswork about the quality of their implementation for when it actually shows up.
I wouldn't be surprised if Microsoft is doing this on purpose to show that only their new anti-virus program will be effective against these new threats since the Script Kiddie Support API is undocumented for outside anti-virus companies.
Because RSS allows enclosures, and because enclosures contain songs, and because songs can be ill-formed to allow overflow attacks -- therefore there is a weakness in RSS?
Perhaps a weakness in the codec, sure. Or a weakness in who you decide to download files from. Or even a weakness in your firewall applicaiton allowing sneaky code to talk to outside IP addresses. But a bug in RSS itself?
I must be missing something, because that doesn't add up, unless the goal is to change RSS somehow, simply because Longhorn is going to implement it?
Perhaps the unwritten story is that Microsoft is going to allow auto-code distribution and execution, in which case, I would humbly suggest, Microsoft has a problem, not the standard.
My two cents only
Can Chickens Swim? Find Out Now!"
Gee, a potential security risk in an OS that isn't anywhere near release.
Yeah, that'll impact...lemme count....uh...carry the one...NOBODY.
How about writing about something a bit more relevant instead of wasting cycles speculating about security risks that may/may not exist in components that may/may not be included in an OS that is due for release in what...3 years or so?
Owns a LOT of M$FT stock!
So why would it be Microsoft's fault if there is a potential vulnerability in an arbitrary software product delivered by RSS?
Scenario - iTunes uses RSS to support Podcasting. A hole in iTunes allows a malicious user to attack the user's computer via the RSS feed. What part of that is due to MSFT?
For an RSS-exploit in Longhorn that:
Uses a priviledge escalation to become administrator and then downloads a new and more secure operating system (e.g. OpenBSD) to replace Longhorn.
http://www.thebricktestament.com/the_law/when_to_
I'm far from an MS fan, doing all of my work for the last few years on Linux, and being currently in the process of moving to OS X. But I have to ask, why is /. reporting a possible vulnerability in an unreleased OS, whereas a serious flaw in the design of OS X (here, today, right now) has not been talked about at all.
Is this really any worse than all the open services that a windows box runs by default? Or using IE with the security settings turned down, or using IE at all ;)
How about using outlook and having it set to autodisplay emails (including running activex controls etc embedded therein)?
Sorry, but this isn't really news, until some company that makes an RSS reader sues MS for building RSS into the OS :)
Mat
Since when did operating systems become a religion?
So why would it be Microsoft's fault if there is a potential vulnerability in an arbitrary software product delivered by RSS?
Sorry if I was obtuse, but I meant to say that they will probably choose to "fix" it, but in such a way that they "extend" it as a MSFT software patent and thus "own" it.
History shows us this tends to happen.
[caveat - I own MSFT shares]
-- Tigger warning: This post may contain tiggers! --
Will it come with a new filesystem? No.
Will it come with a new command line interface? No.
Will it come with risk-laden RSS support "integrated" into the OS so that it can't be uninstalled? Yes.
Nice set of priorities there, Microsoft. I hope you aren't too surprised when I prioritize my cash in such a way that I stick with NT 5.x.
And he got modded +5 insightful!
Damn, next time I need to get a post modded up I'll mention that it should be modded down.
(BTW: despite being Offtopic, this was insightful or at least funny, wasn't it?)
It seems that Slashdot isn't the only ones covering this. :-)
I FAIL to see how RSS can be a dangerous vector for viruses. Why do you ask? Well, first off, it's no worse then a web browser or e-mail which both happen to have the same ability to download executable binaries. Second, Mozilla Firefox, iTunes, Safari and proabably IE 7 currently have no way of automatically running code. I have seen more iPodder clients (iPodder itself did have the problem but does not any more) that have the ability to open the media file upon download. The problem is much worse if Microsoft decides to do something brain dead with it. Now, if a virus is downloaded in a enclosure, there's still no danger.....you have to click on it for it to run. Plus the automated features of most podcatchers will save us. If your podcatcher, safari or IE7 downloads a virus in teh middle of the night, your nightly virus scan should catch it before it's too late if it doesn't catch it as soon as it's written to the disk so am I worried about RSS being a vector for this stuff? No more then I already worry about idiot users....means I don't loose sleep over it.
Gorkman
Integrating RSS into the OS is a bad idea, but not nearly as bad an idea as integrating a web browser, which has all the same issues and more. RSS doesn't fundamentally do anything more than a web browser, aside from automating revisiting a site. It doesn't deal with local files, so there's no trusted files going through it to complicate authentication issues. It's also much more limited in the expected control of the user experience, so there's less chance to spoof things.
The RSS enclosure tag (which contains the url to download) is associated with MIME types, not an iPod. You can use RSS for distributing software updates, for example, and it is certain that it will be used for this purpose. It is moronically easy to put an executable (or similar) into an RSS feed. Given that the majority of people that get podcast feeds have little to no understanding of how it actually works, you can bet that this will be exploited. They might be safe using their run-of-the-mill RSS feed consumer, but that's not what the article is about.
The story here isn't that the protocol can be exploited, it's that RSS processing is being embedded into the **operating system**. Once more, we see a vendor (Microsoft) including superfluous functionality into an application system that should not be there.
From the article:
Microsoft plans to embed an RSS (Really Simple Syndication) platform to automatically distribute feeds into Windows applications, both its own and those from developers. The plan is for Longhorn to provide a common feed list of subscriptions and a common feed store of data in Longhorn, which will be available to applications through Windows APIs.
One compromised source server, be it Microsoft's or a 3rd party's, will immediately push out malicious code and do more damage than any email-based trojan or website-installed spyware could ever hope to do. And while some folks like to think that their servers are impervious to attack, we all know that is simply not the case.
It's is not a question of "IF" [sic] but "when". By bringing these issues to light now, rather than after the fact, it is hoped that Microsoft can be pressured into reversing their decision to integrate RSS-based APIs into the OS.
Ryosen
One man's "Troll, +1" is another man's "Insightful, +1".
It all comes down to separating OS from software. Something MS just don't seem to understand.
On a sarcastic note, maybe it comes from them wanting to sell more software. If it usnit emmbedded in the OS you have to pay for it (DOC reader/writer, decent image editor etc. etc.). No one is going to buy an RSS reader from them, so they have to make it part of the OS.
This is something else the EU could sue MS over. Will Longhorn be available in the EU WITHOUT the RSS built in? They already got nailed for embedding Windows Media Player...
Most people here would -welcome- that kinda content..
Seriously, the guys working on the Longhorn RSS project are the biggest collective bunch of choads ever. Don't believe me? Here's an hour long video of them talking about Longhorn and RSS, and how they're going to make RSS great... in a few years, you know, when they get around to releasing stuff.
The Video
If you don't want to kick someone in the head after watching that, you're not breathing.
... anymore than a browser - as long as RSS is implimented so that the user chooses the RSS feeds to subscribe to.
Email often is the source of malware because email is passive - people are sent email, they don't choose it. Peer to peer as well is often a source of malware - people are exchanging files they believe have content they want and either are unaware of the risks or are willing to take them.
RSS is different than both of these. Unlike email the user has to CHOOSE to receive content via RSS, whereas email is directed towards the user. While it is similar to peer to peer software in that people may exercise poor judgement in selecting sources for RSS, I would think people would ultimately select from far fewer separate sources of content with RSS as opposed to peer to peer scenarios, and there are many sources of good RSS content from well known sources (e.g. Reuters, Slashdot, NYT, Air America, etc.).
How is this any more of a risk than a person visiting a questionable website which downloads malware?
If people are dumb enough to subscribe to questionable feeds without the proper precautions, RSS doesn't make this any easier.
EOM
? BabelFish says Natural Donkey Cat.
RSS is not exploitable, the software that renders it is.
Microsoft needs to focus on a secure RSS aggregation engine w/ secure algorithmic filtering, and then stfu.
the only permanence in existence, is the impermanence of existence.
In this instance RSS represents a particular attack vector (or a transport mnechanism) that an exploit (like a virus or a worm) can take to attack the host system.
I think it is interesting that Microsoft is using a well known protocol in Longhorn, especially one that wasn't developed at Microsoft. If RSS in Longhorn is exploited then the folks their can point back to the open source RSS development community and look for help getting the vector or the exploit addressed.
It will also be intersting to see the kind of impact that Microsoft might try to have over RSS development going forward.
"I'll be better when I'm older"
MS users are used to an OS and Internet Browser blown full of security holes.
Keep up the good work guys.
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
Using phish for bait?
> cat ~/.signature | grep -v bullshit
>
This latest bit of news exemplifies why Microsoft will never be able to secure Windows -- why, in fact, it will never be able to even come close. Microsoft has this philosophy of supporting features like RSS in the lowest levels of the OS, in ways no sane person would even consider, never mind implement. Programmers always make mistakes. That's a given. All it takes is one small mistake to compromise the entire system. You don't add this sort of feature without being very careful (and we all know how successful Microsoft has been in this area).
I don't care what Microsoft says in its Get the FUD campaign, this design philosophy is the reason Windows will always be inferior to Linux when it comes to security, not the relative popularity of Windows and Linux.
As I've ranted before: using Windows is like having unprotected group sex with a roomful of complete strangers. This latest hare-brained scheme of theirs will like inviting even more people to the sex party. Ugh! Time to become a Monk.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
lmao... Did the same thing... One word: Wha??
I think it's his user name, poorly translated...
OMG! Wau!
what the hell?
I'm telling you. Push ^D^D^D^D Active Desktop ^D^D^D^D RSS technology is the next big thing...
I am becoming gerund, destroyer of verbs.
Exactly the reason I don't use Thunderbird for RSS feeds. My Firefox installation has been about:config-ed to the hilt over time for the blend of security, privacy and functionality I prefer. I wouldn't know where to start with setting TB's vanilla rendering of pages to an identical standard. (Not that FF's implementation of RSS is much to write home about, I'm a Sage person myself)
Oh Seamonkey, where art thou?
and people are already talking about security holes?
Windows really raises interesting expectations.
Oh well, what the hell...
I'm sure they'll have dumb stuff like ActiveX scripting in RSS feeds, plus I'd expect the feeds will have to be served by IIS, the security Swiss cheese of web servers, expect CodeRedRSS real soon now!
Any sufficiently advanced man is indistinguishable from God
By Babelfish itself, I suspect. XD
...to include a post ranking for feeds, so 'important' articles can be pushed ahead. I see it now: RSS Spam! Ads littering the top of your feeds! shoving all other feeds off of the screen: "Everybody Loves Baklava!!!!" Click a fake article and get porn trojans that add endless sex links to your RSS feeder. It will be the same fiasco as IE. And, of course MSFT won't see the problem.
cogito cogito, ergo cogito sum [I think that I think, therefore I think that I am.]
Accordingly, I have meta-modded the 'Flamebait' mod 'Unfair'.