Slashdot Mirror

← Back to Stories (view on slashdot.org)

Possible RSS Abuse in Longhorn

Posted by Zonk on from the really-sleazy-stuff dept.

dMill writes "There has been a lot of discussion about Microsoft's decision to bake RSS into Longhorn (see previous Slashdot coverage) but the obvious security implications seem to be on the back burner. eWeek has a story discussing the risks and Don Park is also warning about the potential for abuse and exploitation. For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."

10 of 214 comments (clear)

  1. Worse than worms?!? by zerocool^ · · Score: 4, Insightful


    Worse than worms?!? Worms can get into your system, slave it, erase or steal data, slow it down, advertise to you, and any number of other things! What's worse than lost data, identity theft, popups, and a slow computer? Strangulation via TCP/IP?

    ~Will

    --
    sig?
  2. OS X by m0rph3us0 · · Score: 5, Insightful

    I guess OS X must be REALLY insecure then.

    There is a big difference between RSS being a security risk and a bad implementation of an RSS reader and poor security model being insecure.

    1. Re:OS X by drsmithy · · Score: 3, Insightful
      Fanboys? All you have to do in order to become anti-Microsoft is pay attention.

      Only if you're a biased 15 year old with a worldview about as wide as a pencil.

      Microsoft behave much the same way every other company does in the computing world. The only difference is their actions have a much wider impact than most others (within the computing world).

      If you want to get into a global scale and move outside of the computing world, Microsoft are practically a *saint* in comparison to the /real/ "big nasty corporations. Thousands of babies have not died because of a deceptive Microsoft marketing campaign. Wars have not been started because Microsoft wanted to make some more money.

      Get some fucking perspective.

  3. Move along...no news here by mrhandstand · · Score: 4, Insightful
    So what we are being told it that downloading something from a potentially untructed source and then running that data casn lead to bad things? Oh My!

    When are we going to stop acting like each new protocol or application vulnerability is a new thing? Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.

    --
    Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
    1. Re:Move along...no news here by danheskett · · Score: 3, Insightful

      Ahh..

      you are uninformed.

      Real systems seperate executable code and data effectively without resorting to things like NX.

      Microsoft has this great idea with Windows 95 that things should be "document centric"; you don't open an application to print a document, you drag the document to the printer! Magic! Behind the scenes Windows will silently open the application, feed it the data, and a command telling it to print to the printer. Sounds good, but the problem is that (1) Windows can be told to perform a different action instead of "print" - all actions are created equal. (2) Windows can be told instead to execute the data as code, (3) the "correct application" can be changed, feeding your data to any old app that feels like it should register itself as the handler of that data type, etc.

      So in the name conveince MS has created a gigantic system where any thing can be executed as code and nothing is truly data. Then they go and design a huge mass of file formats that contain both data and binary.

  4. Common sense by Anonymous Coward · · Score: 3, Insightful

    RSS is a transmission vector. Data can get onto your system through RSS in the same way it can get onto your system through email, through floppy disks, through web browsing, and so on.

    Wherever there's a transmission vector, there's possibility for infection if applications that consume that data are insecure.

    So basically, this "possible abuse" warning is simply saying "You know those applications that suck up lots of untrusted data? If they are insecure, you may have problems!" Sorry, but there's nothing new here.

    In fact, having it built into Longhorn could reduce the likelihood for security holes. All the RSS-consuming applications use their own home-grown parsing routines right now. Switching to one shared library means there's only one place for vulnerabilities to arise in this respect, and when each vulnerability is fixed, it will be fixed for all the applications at once.

    On the other hand, this is Microsoft that is writing the shared library, and we all know how secure their coding is. Internet Explorer hasn't had any meaningful updates for four years, and they are still finding holes in it on a regular basis - which means that every application that embeds Trident (Internet Explorer's rendering engine) are constantly in a state of insecurity. It all comes down to the benefits of shared libraries versus the incompetence of Microsoft.

  5. Perhaps this is _why_ msft is interested. by team99parody · · Score: 3, Insightful
    One thing we often overlook is that weak security is actually in the interest of Microsoft, because it's a primary drivers of corporate upgrades.

    Many businesses are still content with Windows2000; and see little reason to upgrade to Longhorn. One of the easiest buttons to push to get a CFO to approve upgrades is finding security holes in the old systems.

    As long as Microsoft's business model is so dependant on bleeding it's existing customers until they're dry; I don't think it's really in their interest to stop security holes. Of course they don't want to launch Longhorn with a bunch of old IE holes that are already exploited, so they need to find new areas for this. Slowly adding new holes like RSS; where the holes may not be found for many years is perfect for the upgrade plan.

    [yes, it was a troll; but I think there's a truth to the fact that security weeknesses in Windows is a major driver of upgrades]

    1. Re:Perhaps this is _why_ msft is interested. by rhizome · · Score: 3, Insightful

      While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority.

      That's fine, but the fact remains that Microsoft is adding new attack vectors just as they are incorporating new technologies to deal with security holes (which themselves qualify as potential vulnerabilities). It may be a stereotype, but the culture of "Uncle Bill" really holds sway here, that Microsoft sets itself up as both the cause and solution to security problems and extending RSS to include executable binary code is just as smart as ActiveX in the browser. That is, "not very," for the majority of users, and "definitely not" for the wild-and-wooly Internet environment.

      Keep in mind Hanlon's law here. It's not enough to say that Microsoft is feeding a conspiracy by making shady business decisions because I don't think they are. They just can't help making dumb ones. Refer to the allegory of the scorpion and the frog for further illustration.

      --
      When I was a kid, we only had one Darth.
  6. Uh... by Momoru · · Score: 3, Insightful

    I see the comments are already filled with "What do you expect its microsoft!!!" and "Hah! hacked b4 its out!!!" comments... This is just speculation about a potential vulernability, in a feature that is not even in a beta in an OS that is not even in beta. Cripes, at least wait until it's out before rushing to any judgements...you know you all use Windows anyways.

  7. The perfect slashdot article by gowen · · Score: 5, Insightful
    vulnerabilities in iPod codec, then podcasting is a good way to deliver overflow inducing content.
    Only on slashdot can people find a way to blame (putative) Apple vulnerabilities on Microsoft.
    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.