Slashdot Mirror
Possible RSS Abuse in Longhorn
dMill writes "There has been a lot of discussion about Microsoft's decision to bake RSS into Longhorn (see previous Slashdot coverage) but the obvious security implications seem to be on the back burner. eWeek has a story discussing the risks and Don Park is also warning about the potential for abuse and exploitation. For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."
This would be a great opportunity to address the security concerns over RSS in very big lab. Using Longhorn as a test platform and counting on Microsoft's dominance of the desktop market might provoke positive reactions from AV and seurity software developers.
Microsoft keeps adding stuff to Windows that allows external programs to initiate activity from the network. Windows Messenger Service. Universal Plug and Play. Windows Update. Active Management. AutoPlay. Now, RSS. And they consistently have them turned on by default. This guarantees a large supply of future security holes.
In ten years, they haven't even been able to secure Outlook.
I also spotted the IF in "If there are any vulnerabilities in iPod". Come on peeps, this is a non-story, every piece of code in every service running has a huge great IF attached to it. What IF ssh has a buffer overflow bug!? Oh, I hear you say it could never have? Were you saying that in August 2003?. You can take it for granted bad code WILL be found in RSS streaming clients, and to integrate them into a system with high level privilages, and without years of testing is extremely foolish.
Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.
Even these may not be enough. I think it's going to be really hard to get good, ubiquitous input sanitization. Folks will keep generating new and interesting dynamic, networked appplications, vulnerable in new and interesting ways...
A nice tip-of-the-iceberg example are notes on supported Python versions from the Zope team. They recommend Python 2.3.5, not the new 2.4.1, not for stability, but because they haven't had a chance to do a security audit of the new Python features in 2.4 to make sure that no security holes would be inadvertently created by running Zope on the newer Python release.
I'm far from an MS fan, doing all of my work for the last few years on Linux, and being currently in the process of moving to OS X. But I have to ask, why is /. reporting a possible vulnerability in an unreleased OS, whereas a serious flaw in the design of OS X (here, today, right now) has not been talked about at all.
In this instance RSS represents a particular attack vector (or a transport mnechanism) that an exploit (like a virus or a worm) can take to attack the host system.
I think it is interesting that Microsoft is using a well known protocol in Longhorn, especially one that wasn't developed at Microsoft. If RSS in Longhorn is exploited then the folks their can point back to the open source RSS development community and look for help getting the vector or the exploit addressed.
It will also be intersting to see the kind of impact that Microsoft might try to have over RSS development going forward.
"I'll be better when I'm older"
MS users are used to an OS and Internet Browser blown full of security holes.
Keep up the good work guys.
What has surprised me is that in the last year or two, I've noticed a real change around here. Now if you post something knocking Microsoft, you are equally likely to get modded to oblivion as modded up. Since Microsoft hasn't changed, I can attribute this shift to one of two things:
1. Lots of new people reading /. who don't know (or don't care) about Microsoft's shady behavior, and get offended if you say anyting bad about them.
2. Microsoft astroturfing. People who scope out anti-Microsoft talk and mod down accordingly.
And that's why Apple is smarter than M$...by not integrating it into the OS in a stupid and unneccessary way they can avoid some degree of exploitability. But with Windows everything has to be integrated for some reason and thus a large text file opened in Notepad can bring my whole PC to a screeching halt and some jerk-off with a bad PNG or JPG forces IE to tank my whole OS. Thanks Microsoft....
This latest bit of news exemplifies why Microsoft will never be able to secure Windows -- why, in fact, it will never be able to even come close. Microsoft has this philosophy of supporting features like RSS in the lowest levels of the OS, in ways no sane person would even consider, never mind implement. Programmers always make mistakes. That's a given. All it takes is one small mistake to compromise the entire system. You don't add this sort of feature without being very careful (and we all know how successful Microsoft has been in this area).
I don't care what Microsoft says in its Get the FUD campaign, this design philosophy is the reason Windows will always be inferior to Linux when it comes to security, not the relative popularity of Windows and Linux.
As I've ranted before: using Windows is like having unprotected group sex with a roomful of complete strangers. This latest hare-brained scheme of theirs will like inviting even more people to the sex party. Ugh! Time to become a Monk.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
I find it laughable you blame this UI paradigm on Windows when MacOS and OS/2 were doing it (and advertising it) _years_ beforehand (and the concept itself is even older). Microsoft were 5 - 10 years late to the pervasive drag & drop, sorta-object-oriented, document-centric interface, yet somehow it's their fault ?
For shame - your bias is showing.
Behind the scenes Windows will silently open the application, feed it the data, and a command telling it to print to the printer.
So does OS X. So does KDE. So does GNOME. So does every other remotely modern GUI released in the last 10 - 15 years. What's your point ?
Windows can be told instead to execute the data as code, [...]
If the app has a buffer overflow, maybe - but Windows hardly has a monopoly on buffer overflows.