Slashdot Mirror

← Back to Stories (view on slashdot.org)

Possible RSS Abuse in Longhorn

Posted by Zonk on from the really-sleazy-stuff dept.

dMill writes "There has been a lot of discussion about Microsoft's decision to bake RSS into Longhorn (see previous Slashdot coverage) but the obvious security implications seem to be on the back burner. eWeek has a story discussing the risks and Don Park is also warning about the potential for abuse and exploitation. For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."

11 of 214 comments (clear)

  1. cached links by joeldg · · Score: 2, Informative

    in case the articles get nuked:

    http://www.eweek.com.nyud.net:8090/article2/0,1759 ,1833035,00.asp

    http://www.docuverse.com.nyud.net:8090/blog/donpar k/EntryViewPage.aspx?guid=1bedfa3f-e67f-4d78-8b2d- cff3a9ccf90a

    Handy little caching service.

    --
    anime+manga together at last.. in real time.
  2. Re:What!? by I+confirm+I'm+not+a · · Score: 3, Informative

    What retard decided to put binary data in RSS? Or would allow execution of code linked to by an RSS feed? That is truly the most retarded thing Microsoft could have done with regards to security.

    That would be Adam Curry and Dave Winer, an MTV DJ and a 'net hacker (the guy behind RSS1 and RSS2, IIRC)

    Embedding RSS (and, more importantly, the RSS "enclosure" magic that enables podcasting) is right up there with "let's embed the browser right into the OS", but to be fair to MS it wasn't them who decided to put binary data into RSS. Though I bet they're kicking themself right now - "no patents for us!"

    --
    This is where the serious fun begins.
  3. Re:What!? by StrawberryFrog · · Score: 2, Informative

    Joe Baldwin is amnesiac? There's one for the E2 rumour mill.

    --

    My Karma: ran over your Dogma
    StrawberryFrog

  4. Any binary data - exe, zip, pdf can be enclosed by BoyBlunder · · Score: 3, Informative
    Can we get back on topic and discuss the potential issues with RSS instead of the gratuitous MSFT bashing? All MSFT has done is bring this to the front burner.

    RSS enclosures can move anything. Corrupt the underlying XML (or the data it is trying to move in the enclosure) and all your victims will pull it onto their desktops automatically. An analog is having HTML email and using a preview pane. You wouldn't do that, but RSS enables it. Got a PDF that exploits an Adobe vulnerability? Add it as an enclosure. Got an image? Same deal. Got a zip? Go ahead. It's not just the currently trendy podcasting and audio files that pose threats. Worse yet, there are many RSS clients our there, not just a few (unlike browser or email). Many opportunities to find holes. Most clients use IE to render the HTML, so there's also the risk of phishing, embedded script, moveable code and other standard HTML malware. What are the vendors doing to mitigate this? Good question. Anyone from feedburner, say, care to comment?

    RSS doesn't stand for Really Scary Security - yet. MSFT just made it a much richer target - let's save the guesswork about the quality of their implementation for when it actually shows up.

  5. Re:Move along...no news here by the+right+sock · · Score: 3, Informative

    Real systems seperate executable code and data effectively without resorting to things like NX

    These memory segments are separate, but nothing will prevent a CPU from executing valid code in a data segment. Overflow exploits work by diverting execution to code stored in data. The whole point behind NX is to prevent that.

  6. Re:What!? by uncommonlygood · · Score: 2, Informative

    True, and the original poster seems to foolishly believe that ASCII text can't be used to exploit a buffer overflow. Firstly, it can (random googled link), and secondly, you can send anything you want over the network, whether the spec says "binary data" is OK or not, unless there's some kind of filter that only lets certain types of bytes through.

  7. Re:Perhaps this is _why_ msft is interested. by dioscaido · · Score: 4, Informative

    Insightful, except for the fact that I'm a developer on Longhorn, and I have to spend endless hours pouring through my designs with security groups within Microsoft. And once my component is ready, the source is shipped to the security group for one final run through for vulnerabilities.

    While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority. We're actually seeing for the first time security concerns trumping 'user friendliness', which is great. Anyway, we have too many eyes from different groups going through oru designs and actual code for people to make such shady business decisions.

  8. Re:OS X by masklinn · · Score: 2, Informative

    Last time I checked, Safari had RSS support and iTunes 4.9 had podcasting but OSX itself didn't integrate RSS & podcasting into the kernel or os space...

    --
    "The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
  9. Re:OS X by DrSkwid · · Score: 2, Informative

    > And if you don't my asking, what's an FXP site?
    I don't mind at all, in fact I used it as a test to see if you knew much about the scene on which you are trying to comment. File eXchange Protocol http://en.wikipedia.org/wiki/FXP

    It is used by warez traders. One can transfer files between two FTP servers without any having to come to you first. One owns a (usually Windows) box, creates hidden directories with directory names that are untypeable at the terminal (using special characters) [the _vti directories are a good base for this, MCSE admins rarely look inside them and even if they do, have no idea what they are for]. One can then FXP between hosts, thus obfuscating the audit trail. One uses a base owned box to use as a file store and preserve it's bandwidth thus reducing the likelyhood of discovery. One then FXPs the warez to other owned hosts and these secondary tiers have their hostnames posted in irc for other couriers to download from and distribute.

    The other major use for owned machines is as an irc bouncer to facilitate the above.

    Microsoft Windows is targetted because it is a soft ubiquitous target, pure and simple, not because the attacker has any personal feelings about the OS.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  10. Re:OS X by NanoGator · · Score: 3, Informative

    " Now if you post something knocking Microsoft, you are equally likely to get modded to oblivion as modded up. Since Microsoft hasn't changed, I can attribute this shift to one of two things:"

    The shift is because of all the sensationalistic bullshit Slashdot's been stoking for the last few years. Noone can really judge from reading Slashdot whether or not MS really is shady. Because everything MS does is bad, even if your favorite company does the same thing. A Linux distro intentionally infringes on MS's trademark? It's Microsoft's fault. Security flaw in IE? It's time to switch. Security flaw in Firefox? This is proof we should stay with Firefox. Microsoft decides to discontinue support for Windows 98? MS is evil for forcing people to upgrade. Microsoft decides to continue support for Windows 98? MS is evil for keeping that insecure OS around.

    You don't have to be an MS astroturfer to be sick of the bullshit and often outright fiction that the Slashdot community post about MS. Why would I care? Because I love Microsoft? Heh no. Not even close. If Slashdot posted a story right now about MS truely doing something evil, it wouldn't be anymore credible to me than Rush Limbaugh's criticism of a democrat. Slashdot's cried wolf too many times.

    Slashdot's lack of credibility about Microsoft is not a result of astroturfing.

    --
    "Derp de derp."
  11. Re:OS X by FunWithHeadlines · · Score: 3, Informative
    Aaron,

    I will take you at your word that you are a decent guy and that your query was genuine. Can I dislike Microsoft while still liking individuals who work there or who work with their products? Sure. Just as I can criticize the actions of the government while being good friends with my neighbor Joe Civic Servant down the street. We are all familiar with how groups of decent individuals can come together in an organization that then causes them to act in ways that perpetuate the organization, even if those ways wind up being bad.

    Has Microsoft changed? I don't see much of a change. Their attack on Linux hasn't gained much traction, so in recent months and years they have occasionally tried the carrot instead of the stick and said nice things about Open Source and Free Software. But since the GPL is antithetical to their business model, it seems to be just words. Their actions continue to show that they have not changed.

    I spent 15 minutes with Google to come up with some recent relevant examples that show their current attitude. Is every story below accurate? Maybe not. But when there's that much smoke...

    Ballmer: Linux violates patents; use it and you will be sued by somebody

    MS Office XML Format licence is incompatible with the GPL

    HP Memo: "Microsoft will soon be launching a patent-based legal offensive against Linux"

    Microsoft using the WTO as a proxy to fight free software

    Microsoft's antitrust offering 'blocks Samba'

    Microsoft's New Monopoly

    Microsoft remains unrepentant, says antitrust judge

    Rivals Say Microsoft Flouts Antitrust Settlement