Possible RSS Abuse in Longhorn

dMill writes "There has been a lot of discussion about Microsoft's decision to bake RSS into Longhorn (see previous Slashdot coverage) but the obvious security implications seem to be on the back burner. eWeek has a story discussing the risks and Don Park is also warning about the potential for abuse and exploitation. For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."

Worse than worms?!?

[zerocool^]

Worse than worms?!? Worms can get into your system, slave it, erase or steal data, slow it down, advertise to you, and any number of other things! What's worse than lost data, identity theft, popups, and a slow computer? Strangulation via TCP/IP?

~Will

Re:Worse than worms?!?

[Trigun]

copying a folder of lolita child porn to your hard drive, mucking with the dates, and sending a tipoff to the FBI?

I'd rather have the worms than Hepatitis and UPIAs in the shower.

Re:Worse than worms?!?

[gclef]

This

OS X

[m0rph3us0]

I guess OS X must be REALLY insecure then.

There is a big difference between RSS being a security risk and a bad implementation of an RSS reader and poor security model being insecure.

Re:OS X

[DrSkwid]

Even seasoned sysadmin pros will tell you that part of the reason Linux is so secure is because the public doesn't perceive it as The Enemy and script kiddies don't think it's so much fun to take apart and take out a RedHat server as a Window Server 2003 one.

See, even seasoned sysadmin pros can be wrong.

Linux boxes get owned every day of the week, just like any other box with exploits available.

The perception of security has *nothing to do* with the actual security.

Re:OS X

[masklinn]

Last time I checked, Safari had RSS support and iTunes 4.9 had podcasting but OSX itself didn't integrate RSS & podcasting into the kernel or os space...

Re:OS X

[FunWithHeadlines]

Slashdot certainly has always been a traditional MS haters club, yes. But /. has been paying attention to all the Microsoft stories, so no surprise there.

What has surprised me is that in the last year or two, I've noticed a real change around here. Now if you post something knocking Microsoft, you are equally likely to get modded to oblivion as modded up. Since Microsoft hasn't changed, I can attribute this shift to one of two things:

1. Lots of new people reading /. who don't know (or don't care) about Microsoft's shady behavior, and get offended if you say anyting bad about them.

2. Microsoft astroturfing. People who scope out anti-Microsoft talk and mod down accordingly.

Re:OS X

[DrSkwid]

> And if you don't my asking, what's an FXP site?
I don't mind at all, in fact I used it as a test to see if you knew much about the scene on which you are trying to comment. File eXchange Protocol http://en.wikipedia.org/wiki/FXP

It is used by warez traders. One can transfer files between two FTP servers without any having to come to you first. One owns a (usually Windows) box, creates hidden directories with directory names that are untypeable at the terminal (using special characters) [the _vti directories are a good base for this, MCSE admins rarely look inside them and even if they do, have no idea what they are for]. One can then FXP between hosts, thus obfuscating the audit trail. One uses a base owned box to use as a file store and preserve it's bandwidth thus reducing the likelyhood of discovery. One then FXPs the warez to other owned hosts and these secondary tiers have their hostnames posted in irc for other couriers to download from and distribute.

The other major use for owned machines is as an irc bouncer to facilitate the above.

Microsoft Windows is targetted because it is a soft ubiquitous target, pure and simple, not because the attacker has any personal feelings about the OS.

Re:OS X

[NanoGator]

" Now if you post something knocking Microsoft, you are equally likely to get modded to oblivion as modded up. Since Microsoft hasn't changed, I can attribute this shift to one of two things:"

The shift is because of all the sensationalistic bullshit Slashdot's been stoking for the last few years. Noone can really judge from reading Slashdot whether or not MS really is shady. Because everything MS does is bad, even if your favorite company does the same thing. A Linux distro intentionally infringes on MS's trademark? It's Microsoft's fault. Security flaw in IE? It's time to switch. Security flaw in Firefox? This is proof we should stay with Firefox. Microsoft decides to discontinue support for Windows 98? MS is evil for forcing people to upgrade. Microsoft decides to continue support for Windows 98? MS is evil for keeping that insecure OS around.

You don't have to be an MS astroturfer to be sick of the bullshit and often outright fiction that the Slashdot community post about MS. Why would I care? Because I love Microsoft? Heh no. Not even close. If Slashdot posted a story right now about MS truely doing something evil, it wouldn't be anymore credible to me than Rush Limbaugh's criticism of a democrat. Slashdot's cried wolf too many times.

Slashdot's lack of credibility about Microsoft is not a result of astroturfing.

Re:OS X

[drsmithy]

And that's why Apple is smarter than M$...by not integrating it into the OS in a stupid and unneccessary way they can avoid some degree of exploitability.

Hate to break it to you, but IE is no more "integrated" into Windows than Safari+WebKit+WebCore is into OS X.

There is zero reason to believe a Microsoft RSS "reader" will be any more "integrated" into Windows than the OS X one is into OS X.

Re:OS X

[drsmithy]

Fanboys? All you have to do in order to become anti-Microsoft is pay attention.

Only if you're a biased 15 year old with a worldview about as wide as a pencil.

Microsoft behave much the same way every other company does in the computing world. The only difference is their actions have a much wider impact than most others (within the computing world).

If you want to get into a global scale and move outside of the computing world, Microsoft are practically a *saint* in comparison to the /real/ "big nasty corporations. Thousands of babies have not died because of a deceptive Microsoft marketing campaign. Wars have not been started because Microsoft wanted to make some more money.

Get some fucking perspective.

Re:OS X

[FunWithHeadlines]

Aaron,

I will take you at your word that you are a decent guy and that your query was genuine. Can I dislike Microsoft while still liking individuals who work there or who work with their products? Sure. Just as I can criticize the actions of the government while being good friends with my neighbor Joe Civic Servant down the street. We are all familiar with how groups of decent individuals can come together in an organization that then causes them to act in ways that perpetuate the organization, even if those ways wind up being bad.

Has Microsoft changed? I don't see much of a change. Their attack on Linux hasn't gained much traction, so in recent months and years they have occasionally tried the carrot instead of the stick and said nice things about Open Source and Free Software. But since the GPL is antithetical to their business model, it seems to be just words. Their actions continue to show that they have not changed.

I spent 15 minutes with Google to come up with some recent relevant examples that show their current attitude. Is every story below accurate? Maybe not. But when there's that much smoke...

Ballmer: Linux violates patents; use it and you will be sued by somebody

MS Office XML Format licence is incompatible with the GPL

HP Memo: "Microsoft will soon be launching a patent-based legal offensive against Linux"

Microsoft using the WTO as a proxy to fight free software

Microsoft's antitrust offering 'blocks Samba'

Microsoft's New Monopoly

Microsoft remains unrepentant, says antitrust judge

Rivals Say Microsoft Flouts Antitrust Settlement

Re:OS X

[FunWithHeadlines]

"Microsoft behave much the same way every other company does in the computing world. "

That wouldn't excuse a thing, even if it were true. But it's not true. They have behaved shamefully, and to a worse degree than other companies. Perhaps it's only because of the power they wield, but they have behaved in a shameful manner.

"If you want to get into a global scale and move outside of the computing world, Microsoft are practically a *saint* in comparison to the /real/ "big nasty corporations. Thousands of babies have not died because of a deceptive Microsoft marketing campaign. Wars have not been started because Microsoft wanted to make some more money."

Nobody said they were, but we are talking about computers here. This isn't the Politics section. Just because there are awful corporate actions elsewhere doesn't excuse a thing Microsoft has done. "He does it too!" is a kindergarten excuse.

"Get some fucking perspective."

Get some manners.

Move along...no news here

[mrhandstand]

So what we are being told it that downloading something from a potentially untructed source and then running that data casn lead to bad things? Oh My!

When are we going to stop acting like each new protocol or application vulnerability is a new thing? Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.

Re:Move along...no news here

[danheskett]

Ahh..

you are uninformed.

Real systems seperate executable code and data effectively without resorting to things like NX.

Microsoft has this great idea with Windows 95 that things should be "document centric"; you don't open an application to print a document, you drag the document to the printer! Magic! Behind the scenes Windows will silently open the application, feed it the data, and a command telling it to print to the printer. Sounds good, but the problem is that (1) Windows can be told to perform a different action instead of "print" - all actions are created equal. (2) Windows can be told instead to execute the data as code, (3) the "correct application" can be changed, feeding your data to any old app that feels like it should register itself as the handler of that data type, etc.

So in the name conveince MS has created a gigantic system where any thing can be executed as code and nothing is truly data. Then they go and design a huge mass of file formats that contain both data and binary.

Re:Move along...no news here

[mrhandstand]

I understand what real OS's do...I run one. :-D Unfortunately, the VAST majority of people don't, so we get to hope for NX and data sanitization.

Re:Move along...no news here

[danheskett]

The vast majority of people are not OS developers. The only people who have to understand this now are MS people.

COM and it's OLE predecessors is inherently insecure simply because it mixes data and code. Bad. BAD.

Re:Move along...no news here

[John+Whitley]

Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.

Even these may not be enough. I think it's going to be really hard to get good, ubiquitous input sanitization. Folks will keep generating new and interesting dynamic, networked appplications, vulnerable in new and interesting ways...

A nice tip-of-the-iceberg example are notes on supported Python versions from the Zope team. They recommend Python 2.3.5, not the new 2.4.1, not for stability, but because they haven't had a chance to do a security audit of the new Python features in 2.4 to make sure that no security holes would be inadvertently created by running Zope on the newer Python release.

Re:Move along...no news here

[the+right+sock]

Real systems seperate executable code and data effectively without resorting to things like NX

These memory segments are separate, but nothing will prevent a CPU from executing valid code in a data segment. Overflow exploits work by diverting execution to code stored in data. The whole point behind NX is to prevent that.

Re:Move along...no news here

[drsmithy]

Microsoft has this great idea with Windows 95 that things should be "document centric"; you don't open an application to print a document, you drag the document to the printer! Magic!

I find it laughable you blame this UI paradigm on Windows when MacOS and OS/2 were doing it (and advertising it) _years_ beforehand (and the concept itself is even older). Microsoft were 5 - 10 years late to the pervasive drag & drop, sorta-object-oriented, document-centric interface, yet somehow it's their fault ?

For shame - your bias is showing.

Behind the scenes Windows will silently open the application, feed it the data, and a command telling it to print to the printer.

So does OS X. So does KDE. So does GNOME. So does every other remotely modern GUI released in the last 10 - 15 years. What's your point ?

Windows can be told instead to execute the data as code, [...]

If the app has a buffer overflow, maybe - but Windows hardly has a monopoly on buffer overflows.

Re:Move along...no news here

[julesh]

The point, besides your nitpicking know-it-all attitude is that MS's lack of data/code seperation has lead to nasty NX hacks and processor tricks to solve a problem that other OS's don't have.

But data and code are as separate on Windows as they are on any other OS. The problem with Windows has nothing to do with this. The largest problems are:

1. Much of the code was written without concern for security by people who didn't really understand how to make it secure. This lead to things like the RPC service buffer overflow.

2. There has been too much emphasis on making the system easy to use at the expense of security. This lead to things like the default password issue in SQL server, which originated a worm of its own.

3. There has been too much emphasis on flexibility at the expense of security. This led to MS Word viruses, and is possibly the closest to your point.

4. The system has been marketed on the basis that any idiot can use it. While this is true, any idiot can also use it to download and run malicious code without knowing it. There should have been more user education.

5. The system has blurred distinctions between outward facing components (e.g. Internet Explorer's DHTML implementation) and restricted-access inward facing ones (e.g. the extended versions of Javascript that are used for internal scripting purposes only). This has led to many scripting and active-x based security holes, and has in fact prompted MS to switch off Javascript on the local machine by default in SP2. Entirely.

I don't see how COM is to blame for any of these. Or DDE. Or OLE. Or even ActiveX, which is a fine technology if used appropriately.

And NX isn't really a nasty hack, it's something that should have been present and in use from the beginning. And if you really think other OSs don't have any buffer overflows, you're living with your head in the sand. I've had a buffer overflow exploited on one of my Linux boxes before now, although fortunately the worm using it failed to install correctly because it was intended for systems with a different configuration to mine.

Blah! We don't have to worry...

[slapout]

...cause Longhorn is going to be built on secure .Net technology......oh wait....nevermind. :-)

cached links

[joeldg]

in case the articles get nuked:

http://www.eweek.com.nyud.net:8090/article2/0,1759 ,1833035,00.asp

http://www.docuverse.com.nyud.net:8090/blog/donpar k/EntryViewPage.aspx?guid=1bedfa3f-e67f-4d78-8b2d- cff3a9ccf90a

Handy little caching service.

What!?

[jb.hl.com]

What retard decided to put binary data in RSS? Or would allow execution of code linked to by an RSS feed? That is truly the most retarded thing Microsoft could have done with regards to security. It's like a condom with the capability to have semen smeared on the outside. Utterly fucking stupid.

Re:What!?

[DrSkwid]

All data is binary, anything else is an illusion.

Re:What!?

[I+confirm+I'm+not+a]

What retard decided to put binary data in RSS? Or would allow execution of code linked to by an RSS feed? That is truly the most retarded thing Microsoft could have done with regards to security.

That would be Adam Curry and Dave Winer, an MTV DJ and a 'net hacker (the guy behind RSS1 and RSS2, IIRC)

Embedding RSS (and, more importantly, the RSS "enclosure" magic that enables podcasting) is right up there with "let's embed the browser right into the OS", but to be fair to MS it wasn't them who decided to put binary data into RSS. Though I bet they're kicking themself right now - "no patents for us!"

Re:What!?

[StrawberryFrog]

Joe Baldwin is amnesiac? There's one for the E2 rumour mill.

Re:What!?

[Mark+of+THE+CITY]

Actually, it's analog; binary plays only a bit part.

Re:What!?

[I+confirm+I'm+not+a]

...the smearing of cement on condoms...

Dude, I am so not having sex with you.

Re:What!?

[uncommonlygood]

True, and the original poster seems to foolishly believe that ASCII text can't be used to exploit a buffer overflow. Firstly, it can (random googled link), and secondly, you can send anything you want over the network, whether the spec says "binary data" is OK or not, unless there's some kind of filter that only lets certain types of bytes through.

OMG Don Park is Warning!

Oh I see,
Don Park is warning!

Glad to hear what Don Park has to say about this story.

I love Don Park, I read every word he writes!

WHO THE FUCK IS DON PARK?

Common sense

RSS is a transmission vector. Data can get onto your system through RSS in the same way it can get onto your system through email, through floppy disks, through web browsing, and so on.

Wherever there's a transmission vector, there's possibility for infection if applications that consume that data are insecure.

So basically, this "possible abuse" warning is simply saying "You know those applications that suck up lots of untrusted data? If they are insecure, you may have problems!" Sorry, but there's nothing new here.

In fact, having it built into Longhorn could reduce the likelihood for security holes. All the RSS-consuming applications use their own home-grown parsing routines right now. Switching to one shared library means there's only one place for vulnerabilities to arise in this respect, and when each vulnerability is fixed, it will be fixed for all the applications at once.

On the other hand, this is Microsoft that is writing the shared library, and we all know how secure their coding is. Internet Explorer hasn't had any meaningful updates for four years, and they are still finding holes in it on a regular basis - which means that every application that embeds Trident (Internet Explorer's rendering engine) are constantly in a state of insecurity. It all comes down to the benefits of shared libraries versus the incompetence of Microsoft.

Perhaps this is _why_ msft is interested.

[team99parody]

One thing we often overlook is that weak security is actually in the interest of Microsoft, because it's a primary drivers of corporate upgrades.

Many businesses are still content with Windows2000; and see little reason to upgrade to Longhorn. One of the easiest buttons to push to get a CFO to approve upgrades is finding security holes in the old systems.

As long as Microsoft's business model is so dependant on bleeding it's existing customers until they're dry; I don't think it's really in their interest to stop security holes. Of course they don't want to launch Longhorn with a bunch of old IE holes that are already exploited, so they need to find new areas for this. Slowly adding new holes like RSS; where the holes may not be found for many years is perfect for the upgrade plan.

[yes, it was a troll; but I think there's a truth to the fact that security weeknesses in Windows is a major driver of upgrades]

Re:Perhaps this is _why_ msft is interested.

[dioscaido]

Insightful, except for the fact that I'm a developer on Longhorn, and I have to spend endless hours pouring through my designs with security groups within Microsoft. And once my component is ready, the source is shipped to the security group for one final run through for vulnerabilities.

While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority. We're actually seeing for the first time security concerns trumping 'user friendliness', which is great. Anyway, we have too many eyes from different groups going through oru designs and actual code for people to make such shady business decisions.

Re:Perhaps this is _why_ msft is interested.

[rhizome]

While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority.

That's fine, but the fact remains that Microsoft is adding new attack vectors just as they are incorporating new technologies to deal with security holes (which themselves qualify as potential vulnerabilities). It may be a stereotype, but the culture of "Uncle Bill" really holds sway here, that Microsoft sets itself up as both the cause and solution to security problems and extending RSS to include executable binary code is just as smart as ActiveX in the browser. That is, "not very," for the majority of users, and "definitely not" for the wild-and-wooly Internet environment.

Keep in mind Hanlon's law here. It's not enough to say that Microsoft is feeding a conspiracy by making shady business decisions because I don't think they are. They just can't help making dumb ones. Refer to the allegory of the scorpion and the frog for further illustration.

Re:Perhaps this is _why_ msft is interested.

[team99parody]

Thanks for the informed response to my troll [argh, I was going for a cheapshot conspiracy-theory-funny and I even said I was trolling yet I still got modded up (go figure)]

"We're actually seeing for the first time security concerns trumping 'user friendliness', which is great."

Is it great? As someone with stock in Microsoft, I wonder if Microsoft's newfound obsession with security is a poor strategic decision that really doesn't play to Micrsoft's strenghts. Computer security is really an area of expertise that really lends itself to small contained systems that are very conservative in the features they include. The bulk of Microsoft's market lends itself to feature rich (some would say bloated) applications and leading edge (some would say beta-quality) features.

Of course security is important - but consider that all businesses in all industries have to make calculated risk/reward calculations when they ballance security with other demands. For example, if Ford decided that security was the overriding principal, their cars would all have 4-point-seat belts; be armored tanks; and go only 10 MPH. Surely there are small niche demands for such features (racecars, infant-car-seats, and military); but Ford strikes a reasonable ballance between risk and reward for the core of the market. Similarly credit companies strike a careful ballance between the ease to use a credit card and the ease to steal a credit card. Much like a credit card company, it seems Microsoft would be better served by continuing to focus on the most profitable segment and like credit companies provide guarantees against loss due to their inevitable security problems.

By saying Microsoft wants Longhorn to be both feature-competitive with Linux and security-competitive with OS/390 & Solaris they're really creating a bizzare racecar+tank+HondaCivic-frankenstein that will fail at all of those goals.

Anyway, we have too many eyes from different groups going through [our] designs and actual code for people to make such[...]

Forgive me from finishing your sentence; but seeing how many features got dropped from Longhorn it seems these eyes are preventing a lot of features from getting done as well.

And of course I didn't mean to suggest that Gates and Balmer are deliberatelly telling people to inject bugs. However they are telling them to inject features (like RSS, and Internet Explorer, etc) that have no place in a secure OS. And I do believe that they are well aware of the security implications of those directions; and that they're smart enough to realize that this will help their upgrade business down the road.

Always report RSS abuse

[stinerman]

RSS abuse has gone on far too long. It may seem unthinkable to some people who long for an RSS of their own (but have had to adopt), but some people do abuse RSS.

If you see your RSS feed has some broken links or other irregularities, report it immediately to your sys admin -- even if the RSS explains it away as random line noise or CRC errors. Protecting one's abuser is a sign of continued abuse.

Only YOU can help stop RSS abuse!

Is somebody hungry?

[B5_geek]

...decision to bake RSS into Longhorn... ...on the back burner.

No wonder MS says they can't remove things like IE from the operating system; They cook it all together!!!

Uh...

[Momoru]

I see the comments are already filled with "What do you expect its microsoft!!!" and "Hah! hacked b4 its out!!!" comments... This is just speculation about a potential vulernability, in a feature that is not even in a beta in an OS that is not even in beta. Cripes, at least wait until it's out before rushing to any judgements...you know you all use Windows anyways.

The perfect slashdot article

[gowen]

vulnerabilities in iPod codec, then podcasting is a good way to deliver overflow inducing content.

Only on slashdot can people find a way to blame (putative) Apple vulnerabilities on Microsoft.

Re:Not IF there are vulnerabilities but WHAT they

[peragrin]

In 1999 people discussed the security problems of ActiveX. 3 years later MSFT was having a nightmare over those said same problems.

Embrace Extend poorly, an extinguish everything seems to be MSFT's philosophy.

MSFT wants locking so badly it forgets to look for the simple errors.

Mod parent up

[Animats]

That's exactly what Microsoft tells the huge number of business users still running Windows 2000. It's not a troll; it's reality.

Microsoft keeps adding stuff to Windows that allows external programs to initiate activity from the network. Windows Messenger Service. Universal Plug and Play. Windows Update. Active Management. AutoPlay. Now, RSS. And they consistently have them turned on by default. This guarantees a large supply of future security holes.

In ten years, they haven't even been able to secure Outlook.

Easier way

Can't MS just develop a specific API for people trying compromise windows machines, it would be less work for everyone.

Re:Easier way

[shutdown+-p+now]

They did. It was called ActiveX, but is now being deprecated in favor of .NET.

OMG!!!

[oneeyedelf1]

In other news Internet Explorer automatically downloads pictures linked to in HTML. Images could contain worms. And be executed by possible buffer overflows when image is displayed. Personally I would love rss intergration for most programs, an easy way to integrate things like changelogs in newer version notifications to decide if updating is worth it, etc etc. I have a feeling lots of cool stuff could be done with this power. I am all about delivering content formated how you want it, where you want it, when you want it. Microsoft looks like its on the right direction here.

Any binary data - exe, zip, pdf can be enclosed

[BoyBlunder]

Can we get back on topic and discuss the potential issues with RSS instead of the gratuitous MSFT bashing? All MSFT has done is bring this to the front burner.

RSS enclosures can move anything. Corrupt the underlying XML (or the data it is trying to move in the enclosure) and all your victims will pull it onto their desktops automatically. An analog is having HTML email and using a preview pane. You wouldn't do that, but RSS enables it. Got a PDF that exploits an Adobe vulnerability? Add it as an enclosure. Got an image? Same deal. Got a zip? Go ahead. It's not just the currently trendy podcasting and audio files that pose threats. Worse yet, there are many RSS clients our there, not just a few (unlike browser or email). Many opportunities to find holes. Most clients use IE to render the HTML, so there's also the risk of phishing, embedded script, moveable code and other standard HTML malware. What are the vendors doing to mitigate this? Good question. Anyone from feedburner, say, care to comment?

RSS doesn't stand for Really Scary Security - yet. MSFT just made it a much richer target - let's save the guesswork about the quality of their implementation for when it actually shows up.

Re:Why worry?

[Alioth]

Yes - you do have to worry about it. Your computer is no longer an island once it's on the Internet.

At home, I do not run any Microsoft software, yet I still have to deal with the consequences of zombied Windows PCs on broadband connections, deluging my email inbox with spam and chewing up valuable network bandwidth. When SQL Slammer made its attack, it completely knocked out one of the ISPs here due to the massive amount of traffic.

Microsoft's insecurity affects everyone - even those who don't use MS software at all.

MS vs Apple

I'm far from an MS fan, doing all of my work for the last few years on Linux, and being currently in the process of moving to OS X. But I have to ask, why is /. reporting a possible vulnerability in an unreleased OS, whereas a serious flaw in the design of OS X (here, today, right now) has not been talked about at all.

RSS is a potential attack vector

[vonoech]

In this instance RSS represents a particular attack vector (or a transport mnechanism) that an exploit (like a virus or a worm) can take to attack the host system.

I think it is interesting that Microsoft is using a well known protocol in Longhorn, especially one that wasn't developed at Microsoft. If RSS in Longhorn is exploited then the folks their can point back to the open source RSS development community and look for help getting the vector or the exploit addressed.

It will also be intersting to see the kind of impact that Microsoft might try to have over RSS development going forward.

Worrmcasting?

[Scott+Byer]

Using phish for bait?

This Is Why a Secure Windows is Impossible

[Prototerm]

This latest bit of news exemplifies why Microsoft will never be able to secure Windows -- why, in fact, it will never be able to even come close. Microsoft has this philosophy of supporting features like RSS in the lowest levels of the OS, in ways no sane person would even consider, never mind implement. Programmers always make mistakes. That's a given. All it takes is one small mistake to compromise the entire system. You don't add this sort of feature without being very careful (and we all know how successful Microsoft has been in this area).

I don't care what Microsoft says in its Get the FUD campaign, this design philosophy is the reason Windows will always be inferior to Linux when it comes to security, not the relative popularity of Windows and Linux.

As I've ranted before: using Windows is like having unprotected group sex with a roomful of complete strangers. This latest hare-brained scheme of theirs will like inviting even more people to the sex party. Ugh! Time to become a Monk.