Possible RSS Abuse in Longhorn

dMill writes "There has been a lot of discussion about Microsoft's decision to bake RSS into Longhorn (see previous Slashdot coverage) but the obvious security implications seem to be on the back burner. eWeek has a story discussing the risks and Don Park is also warning about the potential for abuse and exploitation. For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."

Worse than worms?!?

[zerocool^]

Worse than worms?!? Worms can get into your system, slave it, erase or steal data, slow it down, advertise to you, and any number of other things! What's worse than lost data, identity theft, popups, and a slow computer? Strangulation via TCP/IP?

~Will

OS X

[m0rph3us0]

I guess OS X must be REALLY insecure then.

There is a big difference between RSS being a security risk and a bad implementation of an RSS reader and poor security model being insecure.

Re:OS X

[DrSkwid]

Even seasoned sysadmin pros will tell you that part of the reason Linux is so secure is because the public doesn't perceive it as The Enemy and script kiddies don't think it's so much fun to take apart and take out a RedHat server as a Window Server 2003 one.

See, even seasoned sysadmin pros can be wrong.

Linux boxes get owned every day of the week, just like any other box with exploits available.

The perception of security has *nothing to do* with the actual security.

Re:OS X

Of course MS is targeted proportionally to its use. Most people who are out to 0wn a system don't care what OS that system has. A randomly chosen host is very very likely to be MS. A randomly chosen host that can be trivially compromised is even more likely to be MS.

Re:OS X

[drsmithy]

And that's why Apple is smarter than M$...by not integrating it into the OS in a stupid and unneccessary way they can avoid some degree of exploitability.

Hate to break it to you, but IE is no more "integrated" into Windows than Safari+WebKit+WebCore is into OS X.

There is zero reason to believe a Microsoft RSS "reader" will be any more "integrated" into Windows than the OS X one is into OS X.

Re:OS X

[drsmithy]

Fanboys? All you have to do in order to become anti-Microsoft is pay attention.

Only if you're a biased 15 year old with a worldview about as wide as a pencil.

Microsoft behave much the same way every other company does in the computing world. The only difference is their actions have a much wider impact than most others (within the computing world).

If you want to get into a global scale and move outside of the computing world, Microsoft are practically a *saint* in comparison to the /real/ "big nasty corporations. Thousands of babies have not died because of a deceptive Microsoft marketing campaign. Wars have not been started because Microsoft wanted to make some more money.

Get some fucking perspective.

Re:OS X

[FunWithHeadlines]

"Microsoft behave much the same way every other company does in the computing world. "

That wouldn't excuse a thing, even if it were true. But it's not true. They have behaved shamefully, and to a worse degree than other companies. Perhaps it's only because of the power they wield, but they have behaved in a shameful manner.

"If you want to get into a global scale and move outside of the computing world, Microsoft are practically a *saint* in comparison to the /real/ "big nasty corporations. Thousands of babies have not died because of a deceptive Microsoft marketing campaign. Wars have not been started because Microsoft wanted to make some more money."

Nobody said they were, but we are talking about computers here. This isn't the Politics section. Just because there are awful corporate actions elsewhere doesn't excuse a thing Microsoft has done. "He does it too!" is a kindergarten excuse.

"Get some fucking perspective."

Get some manners.

Move along...no news here

[mrhandstand]

So what we are being told it that downloading something from a potentially untructed source and then running that data casn lead to bad things? Oh My!

When are we going to stop acting like each new protocol or application vulnerability is a new thing? Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.

Re:Move along...no news here

[danheskett]

Ahh..

you are uninformed.

Real systems seperate executable code and data effectively without resorting to things like NX.

Microsoft has this great idea with Windows 95 that things should be "document centric"; you don't open an application to print a document, you drag the document to the printer! Magic! Behind the scenes Windows will silently open the application, feed it the data, and a command telling it to print to the printer. Sounds good, but the problem is that (1) Windows can be told to perform a different action instead of "print" - all actions are created equal. (2) Windows can be told instead to execute the data as code, (3) the "correct application" can be changed, feeding your data to any old app that feels like it should register itself as the handler of that data type, etc.

So in the name conveince MS has created a gigantic system where any thing can be executed as code and nothing is truly data. Then they go and design a huge mass of file formats that contain both data and binary.

Re:Move along...no news here

[mrhandstand]

I understand what real OS's do...I run one. :-D Unfortunately, the VAST majority of people don't, so we get to hope for NX and data sanitization.

Re:Move along...no news here

[danheskett]

The vast majority of people are not OS developers. The only people who have to understand this now are MS people.

COM and it's OLE predecessors is inherently insecure simply because it mixes data and code. Bad. BAD.

Re:Move along...no news here

[julesh]

The point, besides your nitpicking know-it-all attitude is that MS's lack of data/code seperation has lead to nasty NX hacks and processor tricks to solve a problem that other OS's don't have.

But data and code are as separate on Windows as they are on any other OS. The problem with Windows has nothing to do with this. The largest problems are:

1. Much of the code was written without concern for security by people who didn't really understand how to make it secure. This lead to things like the RPC service buffer overflow.

2. There has been too much emphasis on making the system easy to use at the expense of security. This lead to things like the default password issue in SQL server, which originated a worm of its own.

3. There has been too much emphasis on flexibility at the expense of security. This led to MS Word viruses, and is possibly the closest to your point.

4. The system has been marketed on the basis that any idiot can use it. While this is true, any idiot can also use it to download and run malicious code without knowing it. There should have been more user education.

5. The system has blurred distinctions between outward facing components (e.g. Internet Explorer's DHTML implementation) and restricted-access inward facing ones (e.g. the extended versions of Javascript that are used for internal scripting purposes only). This has led to many scripting and active-x based security holes, and has in fact prompted MS to switch off Javascript on the local machine by default in SP2. Entirely.

I don't see how COM is to blame for any of these. Or DDE. Or OLE. Or even ActiveX, which is a fine technology if used appropriately.

And NX isn't really a nasty hack, it's something that should have been present and in use from the beginning. And if you really think other OSs don't have any buffer overflows, you're living with your head in the sand. I've had a buffer overflow exploited on one of my Linux boxes before now, although fortunately the worm using it failed to install correctly because it was intended for systems with a different configuration to mine.

Common sense

RSS is a transmission vector. Data can get onto your system through RSS in the same way it can get onto your system through email, through floppy disks, through web browsing, and so on.

Wherever there's a transmission vector, there's possibility for infection if applications that consume that data are insecure.

So basically, this "possible abuse" warning is simply saying "You know those applications that suck up lots of untrusted data? If they are insecure, you may have problems!" Sorry, but there's nothing new here.

In fact, having it built into Longhorn could reduce the likelihood for security holes. All the RSS-consuming applications use their own home-grown parsing routines right now. Switching to one shared library means there's only one place for vulnerabilities to arise in this respect, and when each vulnerability is fixed, it will be fixed for all the applications at once.

On the other hand, this is Microsoft that is writing the shared library, and we all know how secure their coding is. Internet Explorer hasn't had any meaningful updates for four years, and they are still finding holes in it on a regular basis - which means that every application that embeds Trident (Internet Explorer's rendering engine) are constantly in a state of insecurity. It all comes down to the benefits of shared libraries versus the incompetence of Microsoft.

Perhaps this is _why_ msft is interested.

[team99parody]

One thing we often overlook is that weak security is actually in the interest of Microsoft, because it's a primary drivers of corporate upgrades.

Many businesses are still content with Windows2000; and see little reason to upgrade to Longhorn. One of the easiest buttons to push to get a CFO to approve upgrades is finding security holes in the old systems.

As long as Microsoft's business model is so dependant on bleeding it's existing customers until they're dry; I don't think it's really in their interest to stop security holes. Of course they don't want to launch Longhorn with a bunch of old IE holes that are already exploited, so they need to find new areas for this. Slowly adding new holes like RSS; where the holes may not be found for many years is perfect for the upgrade plan.

[yes, it was a troll; but I think there's a truth to the fact that security weeknesses in Windows is a major driver of upgrades]

Re:Perhaps this is _why_ msft is interested.

[rhizome]

While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority.

That's fine, but the fact remains that Microsoft is adding new attack vectors just as they are incorporating new technologies to deal with security holes (which themselves qualify as potential vulnerabilities). It may be a stereotype, but the culture of "Uncle Bill" really holds sway here, that Microsoft sets itself up as both the cause and solution to security problems and extending RSS to include executable binary code is just as smart as ActiveX in the browser. That is, "not very," for the majority of users, and "definitely not" for the wild-and-wooly Internet environment.

Keep in mind Hanlon's law here. It's not enough to say that Microsoft is feeding a conspiracy by making shady business decisions because I don't think they are. They just can't help making dumb ones. Refer to the allegory of the scorpion and the frog for further illustration.

Re:Perhaps this is _why_ msft is interested.

[team99parody]

Thanks for the informed response to my troll [argh, I was going for a cheapshot conspiracy-theory-funny and I even said I was trolling yet I still got modded up (go figure)]

"We're actually seeing for the first time security concerns trumping 'user friendliness', which is great."

Is it great? As someone with stock in Microsoft, I wonder if Microsoft's newfound obsession with security is a poor strategic decision that really doesn't play to Micrsoft's strenghts. Computer security is really an area of expertise that really lends itself to small contained systems that are very conservative in the features they include. The bulk of Microsoft's market lends itself to feature rich (some would say bloated) applications and leading edge (some would say beta-quality) features.

Of course security is important - but consider that all businesses in all industries have to make calculated risk/reward calculations when they ballance security with other demands. For example, if Ford decided that security was the overriding principal, their cars would all have 4-point-seat belts; be armored tanks; and go only 10 MPH. Surely there are small niche demands for such features (racecars, infant-car-seats, and military); but Ford strikes a reasonable ballance between risk and reward for the core of the market. Similarly credit companies strike a careful ballance between the ease to use a credit card and the ease to steal a credit card. Much like a credit card company, it seems Microsoft would be better served by continuing to focus on the most profitable segment and like credit companies provide guarantees against loss due to their inevitable security problems.

By saying Microsoft wants Longhorn to be both feature-competitive with Linux and security-competitive with OS/390 & Solaris they're really creating a bizzare racecar+tank+HondaCivic-frankenstein that will fail at all of those goals.

Anyway, we have too many eyes from different groups going through [our] designs and actual code for people to make such[...]

Forgive me from finishing your sentence; but seeing how many features got dropped from Longhorn it seems these eyes are preventing a lot of features from getting done as well.

And of course I didn't mean to suggest that Gates and Balmer are deliberatelly telling people to inject bugs. However they are telling them to inject features (like RSS, and Internet Explorer, etc) that have no place in a secure OS. And I do believe that they are well aware of the security implications of those directions; and that they're smart enough to realize that this will help their upgrade business down the road.

Uh...

[Momoru]

I see the comments are already filled with "What do you expect its microsoft!!!" and "Hah! hacked b4 its out!!!" comments... This is just speculation about a potential vulernability, in a feature that is not even in a beta in an OS that is not even in beta. Cripes, at least wait until it's out before rushing to any judgements...you know you all use Windows anyways.

The perfect slashdot article

[gowen]

vulnerabilities in iPod codec, then podcasting is a good way to deliver overflow inducing content.

Only on slashdot can people find a way to blame (putative) Apple vulnerabilities on Microsoft.

Re:Not IF there are vulnerabilities but WHAT they

[peragrin]

In 1999 people discussed the security problems of ActiveX. 3 years later MSFT was having a nightmare over those said same problems.

Embrace Extend poorly, an extinguish everything seems to be MSFT's philosophy.

MSFT wants locking so badly it forgets to look for the simple errors.

Re:What!?

[DrSkwid]

All data is binary, anything else is an illusion.

OMG!!!

[oneeyedelf1]

In other news Internet Explorer automatically downloads pictures linked to in HTML. Images could contain worms. And be executed by possible buffer overflows when image is displayed. Personally I would love rss intergration for most programs, an easy way to integrate things like changelogs in newer version notifications to decide if updating is worth it, etc etc. I have a feeling lots of cool stuff could be done with this power. I am all about delivering content formated how you want it, where you want it, when you want it. Microsoft looks like its on the right direction here.

Re:What!?

[RingDev]

No, he was being accurate. The asshat who started this thread doesn't understand how data is transfered. RSS always did transmit binary data, the only difference is that previously it would always resolve that binary to UTF or ANSI text. MS is just adding the option of building the binary to a file of some type instead. -Rick

Re:Why worry?

[Alioth]

Yes - you do have to worry about it. Your computer is no longer an island once it's on the Internet.

At home, I do not run any Microsoft software, yet I still have to deal with the consequences of zombied Windows PCs on broadband connections, deluging my email inbox with spam and chewing up valuable network bandwidth. When SQL Slammer made its attack, it completely knocked out one of the ISPs here due to the massive amount of traffic.

Microsoft's insecurity affects everyone - even those who don't use MS software at all.

Re:Easier way

[shutdown+-p+now]

They did. It was called ActiveX, but is now being deprecated in favor of .NET.

the problem isn't RSS, it's Longhorn Architecture

[v3xt0r]

RSS is not exploitable, the software that renders it is.

Microsoft needs to focus on a secure RSS aggregation engine w/ secure algorithmic filtering, and then stfu.