Slashdot Mirror

← Back to Stories (view on slashdot.org)

Possible RSS Abuse in Longhorn

Posted by Zonk on from the really-sleazy-stuff dept.

dMill writes "There has been a lot of discussion about Microsoft's decision to bake RSS into Longhorn (see previous Slashdot coverage) but the obvious security implications seem to be on the back burner. eWeek has a story discussing the risks and Don Park is also warning about the potential for abuse and exploitation. For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."

27 of 214 comments (clear)

  1. Worse than worms?!? by zerocool^ · · Score: 4, Insightful


    Worse than worms?!? Worms can get into your system, slave it, erase or steal data, slow it down, advertise to you, and any number of other things! What's worse than lost data, identity theft, popups, and a slow computer? Strangulation via TCP/IP?

    ~Will

    --
    sig?
    1. Re:Worse than worms?!? by Trigun · · Score: 3, Funny

      copying a folder of lolita child porn to your hard drive, mucking with the dates, and sending a tipoff to the FBI?

      I'd rather have the worms than Hepatitis and UPIAs in the shower.

    2. Re:Worse than worms?!? by gclef · · Score: 3, Funny

      This

  2. OS X by m0rph3us0 · · Score: 5, Insightful

    I guess OS X must be REALLY insecure then.

    There is a big difference between RSS being a security risk and a bad implementation of an RSS reader and poor security model being insecure.

    1. Re:OS X by NanoGator · · Score: 3, Informative

      " Now if you post something knocking Microsoft, you are equally likely to get modded to oblivion as modded up. Since Microsoft hasn't changed, I can attribute this shift to one of two things:"

      The shift is because of all the sensationalistic bullshit Slashdot's been stoking for the last few years. Noone can really judge from reading Slashdot whether or not MS really is shady. Because everything MS does is bad, even if your favorite company does the same thing. A Linux distro intentionally infringes on MS's trademark? It's Microsoft's fault. Security flaw in IE? It's time to switch. Security flaw in Firefox? This is proof we should stay with Firefox. Microsoft decides to discontinue support for Windows 98? MS is evil for forcing people to upgrade. Microsoft decides to continue support for Windows 98? MS is evil for keeping that insecure OS around.

      You don't have to be an MS astroturfer to be sick of the bullshit and often outright fiction that the Slashdot community post about MS. Why would I care? Because I love Microsoft? Heh no. Not even close. If Slashdot posted a story right now about MS truely doing something evil, it wouldn't be anymore credible to me than Rush Limbaugh's criticism of a democrat. Slashdot's cried wolf too many times.

      Slashdot's lack of credibility about Microsoft is not a result of astroturfing.

      --
      "Derp de derp."
    2. Re:OS X by drsmithy · · Score: 3, Insightful
      Fanboys? All you have to do in order to become anti-Microsoft is pay attention.

      Only if you're a biased 15 year old with a worldview about as wide as a pencil.

      Microsoft behave much the same way every other company does in the computing world. The only difference is their actions have a much wider impact than most others (within the computing world).

      If you want to get into a global scale and move outside of the computing world, Microsoft are practically a *saint* in comparison to the /real/ "big nasty corporations. Thousands of babies have not died because of a deceptive Microsoft marketing campaign. Wars have not been started because Microsoft wanted to make some more money.

      Get some fucking perspective.

    3. Re:OS X by FunWithHeadlines · · Score: 3, Informative
      Aaron,

      I will take you at your word that you are a decent guy and that your query was genuine. Can I dislike Microsoft while still liking individuals who work there or who work with their products? Sure. Just as I can criticize the actions of the government while being good friends with my neighbor Joe Civic Servant down the street. We are all familiar with how groups of decent individuals can come together in an organization that then causes them to act in ways that perpetuate the organization, even if those ways wind up being bad.

      Has Microsoft changed? I don't see much of a change. Their attack on Linux hasn't gained much traction, so in recent months and years they have occasionally tried the carrot instead of the stick and said nice things about Open Source and Free Software. But since the GPL is antithetical to their business model, it seems to be just words. Their actions continue to show that they have not changed.

      I spent 15 minutes with Google to come up with some recent relevant examples that show their current attitude. Is every story below accurate? Maybe not. But when there's that much smoke...

      Ballmer: Linux violates patents; use it and you will be sued by somebody

      MS Office XML Format licence is incompatible with the GPL

      HP Memo: "Microsoft will soon be launching a patent-based legal offensive against Linux"

      Microsoft using the WTO as a proxy to fight free software

      Microsoft's antitrust offering 'blocks Samba'

      Microsoft's New Monopoly

      Microsoft remains unrepentant, says antitrust judge

      Rivals Say Microsoft Flouts Antitrust Settlement

  3. Move along...no news here by mrhandstand · · Score: 4, Insightful
    So what we are being told it that downloading something from a potentially untructed source and then running that data casn lead to bad things? Oh My!

    When are we going to stop acting like each new protocol or application vulnerability is a new thing? Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.

    --
    Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
    1. Re:Move along...no news here by danheskett · · Score: 3, Insightful

      Ahh..

      you are uninformed.

      Real systems seperate executable code and data effectively without resorting to things like NX.

      Microsoft has this great idea with Windows 95 that things should be "document centric"; you don't open an application to print a document, you drag the document to the printer! Magic! Behind the scenes Windows will silently open the application, feed it the data, and a command telling it to print to the printer. Sounds good, but the problem is that (1) Windows can be told to perform a different action instead of "print" - all actions are created equal. (2) Windows can be told instead to execute the data as code, (3) the "correct application" can be changed, feeding your data to any old app that feels like it should register itself as the handler of that data type, etc.

      So in the name conveince MS has created a gigantic system where any thing can be executed as code and nothing is truly data. Then they go and design a huge mass of file formats that contain both data and binary.

    2. Re:Move along...no news here by the+right+sock · · Score: 3, Informative

      Real systems seperate executable code and data effectively without resorting to things like NX

      These memory segments are separate, but nothing will prevent a CPU from executing valid code in a data segment. Overflow exploits work by diverting execution to code stored in data. The whole point behind NX is to prevent that.

  4. Blah! We don't have to worry... by slapout · · Score: 5, Funny

    ...cause Longhorn is going to be built on secure .Net technology......oh wait....nevermind. :-)

    --
    Coder's Stone: The programming language quick ref for iPad
  5. What!? by jb.hl.com · · Score: 3, Funny

    What retard decided to put binary data in RSS? Or would allow execution of code linked to by an RSS feed? That is truly the most retarded thing Microsoft could have done with regards to security. It's like a condom with the capability to have semen smeared on the outside. Utterly fucking stupid.

    --
    By summer it was all gone...now shesmovedon. --
    1. Re:What!? by I+confirm+I'm+not+a · · Score: 3, Informative

      What retard decided to put binary data in RSS? Or would allow execution of code linked to by an RSS feed? That is truly the most retarded thing Microsoft could have done with regards to security.

      That would be Adam Curry and Dave Winer, an MTV DJ and a 'net hacker (the guy behind RSS1 and RSS2, IIRC)

      Embedding RSS (and, more importantly, the RSS "enclosure" magic that enables podcasting) is right up there with "let's embed the browser right into the OS", but to be fair to MS it wasn't them who decided to put binary data into RSS. Though I bet they're kicking themself right now - "no patents for us!"

      --
      This is where the serious fun begins.
    2. Re:What!? by Mark+of+THE+CITY · · Score: 3, Funny

      Actually, it's analog; binary plays only a bit part.

      --
      The clearance system sounds logical. It is not. It is completely arbitrary. -- John Bolton
    3. Re:What!? by I+confirm+I'm+not+a · · Score: 3, Funny

      ...the smearing of cement on condoms...

      Dude, I am so not having sex with you.

      --
      This is where the serious fun begins.
  6. Common sense by Anonymous Coward · · Score: 3, Insightful

    RSS is a transmission vector. Data can get onto your system through RSS in the same way it can get onto your system through email, through floppy disks, through web browsing, and so on.

    Wherever there's a transmission vector, there's possibility for infection if applications that consume that data are insecure.

    So basically, this "possible abuse" warning is simply saying "You know those applications that suck up lots of untrusted data? If they are insecure, you may have problems!" Sorry, but there's nothing new here.

    In fact, having it built into Longhorn could reduce the likelihood for security holes. All the RSS-consuming applications use their own home-grown parsing routines right now. Switching to one shared library means there's only one place for vulnerabilities to arise in this respect, and when each vulnerability is fixed, it will be fixed for all the applications at once.

    On the other hand, this is Microsoft that is writing the shared library, and we all know how secure their coding is. Internet Explorer hasn't had any meaningful updates for four years, and they are still finding holes in it on a regular basis - which means that every application that embeds Trident (Internet Explorer's rendering engine) are constantly in a state of insecurity. It all comes down to the benefits of shared libraries versus the incompetence of Microsoft.

  7. Perhaps this is _why_ msft is interested. by team99parody · · Score: 3, Insightful
    One thing we often overlook is that weak security is actually in the interest of Microsoft, because it's a primary drivers of corporate upgrades.

    Many businesses are still content with Windows2000; and see little reason to upgrade to Longhorn. One of the easiest buttons to push to get a CFO to approve upgrades is finding security holes in the old systems.

    As long as Microsoft's business model is so dependant on bleeding it's existing customers until they're dry; I don't think it's really in their interest to stop security holes. Of course they don't want to launch Longhorn with a bunch of old IE holes that are already exploited, so they need to find new areas for this. Slowly adding new holes like RSS; where the holes may not be found for many years is perfect for the upgrade plan.

    [yes, it was a troll; but I think there's a truth to the fact that security weeknesses in Windows is a major driver of upgrades]

    1. Re:Perhaps this is _why_ msft is interested. by dioscaido · · Score: 4, Informative

      Insightful, except for the fact that I'm a developer on Longhorn, and I have to spend endless hours pouring through my designs with security groups within Microsoft. And once my component is ready, the source is shipped to the security group for one final run through for vulnerabilities.

      While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority. We're actually seeing for the first time security concerns trumping 'user friendliness', which is great. Anyway, we have too many eyes from different groups going through oru designs and actual code for people to make such shady business decisions.

    2. Re:Perhaps this is _why_ msft is interested. by rhizome · · Score: 3, Insightful

      While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority.

      That's fine, but the fact remains that Microsoft is adding new attack vectors just as they are incorporating new technologies to deal with security holes (which themselves qualify as potential vulnerabilities). It may be a stereotype, but the culture of "Uncle Bill" really holds sway here, that Microsoft sets itself up as both the cause and solution to security problems and extending RSS to include executable binary code is just as smart as ActiveX in the browser. That is, "not very," for the majority of users, and "definitely not" for the wild-and-wooly Internet environment.

      Keep in mind Hanlon's law here. It's not enough to say that Microsoft is feeding a conspiracy by making shady business decisions because I don't think they are. They just can't help making dumb ones. Refer to the allegory of the scorpion and the frog for further illustration.

      --
      When I was a kid, we only had one Darth.
  8. Always report RSS abuse by stinerman · · Score: 3, Funny

    RSS abuse has gone on far too long. It may seem unthinkable to some people who long for an RSS of their own (but have had to adopt), but some people do abuse RSS.

    If you see your RSS feed has some broken links or other irregularities, report it immediately to your sys admin -- even if the RSS explains it away as random line noise or CRC errors. Protecting one's abuser is a sign of continued abuse.

    Only YOU can help stop RSS abuse!

  9. Is somebody hungry? by B5_geek · · Score: 4, Funny

    ...decision to bake RSS into Longhorn... ...on the back burner.

    No wonder MS says they can't remove things like IE from the operating system; They cook it all together!!!

    --
    "The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
  10. Uh... by Momoru · · Score: 3, Insightful

    I see the comments are already filled with "What do you expect its microsoft!!!" and "Hah! hacked b4 its out!!!" comments... This is just speculation about a potential vulernability, in a feature that is not even in a beta in an OS that is not even in beta. Cripes, at least wait until it's out before rushing to any judgements...you know you all use Windows anyways.

  11. The perfect slashdot article by gowen · · Score: 5, Insightful
    vulnerabilities in iPod codec, then podcasting is a good way to deliver overflow inducing content.
    Only on slashdot can people find a way to blame (putative) Apple vulnerabilities on Microsoft.
    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  12. Mod parent up by Animats · · Score: 3, Interesting
    That's exactly what Microsoft tells the huge number of business users still running Windows 2000. It's not a troll; it's reality.

    Microsoft keeps adding stuff to Windows that allows external programs to initiate activity from the network. Windows Messenger Service. Universal Plug and Play. Windows Update. Active Management. AutoPlay. Now, RSS. And they consistently have them turned on by default. This guarantees a large supply of future security holes.

    In ten years, they haven't even been able to secure Outlook.

  13. Easier way by Anonymous Coward · · Score: 4, Funny

    Can't MS just develop a specific API for people trying compromise windows machines, it would be less work for everyone.

  14. Any binary data - exe, zip, pdf can be enclosed by BoyBlunder · · Score: 3, Informative
    Can we get back on topic and discuss the potential issues with RSS instead of the gratuitous MSFT bashing? All MSFT has done is bring this to the front burner.

    RSS enclosures can move anything. Corrupt the underlying XML (or the data it is trying to move in the enclosure) and all your victims will pull it onto their desktops automatically. An analog is having HTML email and using a preview pane. You wouldn't do that, but RSS enables it. Got a PDF that exploits an Adobe vulnerability? Add it as an enclosure. Got an image? Same deal. Got a zip? Go ahead. It's not just the currently trendy podcasting and audio files that pose threats. Worse yet, there are many RSS clients our there, not just a few (unlike browser or email). Many opportunities to find holes. Most clients use IE to render the HTML, so there's also the risk of phishing, embedded script, moveable code and other standard HTML malware. What are the vendors doing to mitigate this? Good question. Anyone from feedburner, say, care to comment?

    RSS doesn't stand for Really Scary Security - yet. MSFT just made it a much richer target - let's save the guesswork about the quality of their implementation for when it actually shows up.

  15. MS vs Apple by Anonymous Coward · · Score: 4, Interesting

    I'm far from an MS fan, doing all of my work for the last few years on Linux, and being currently in the process of moving to OS X. But I have to ask, why is /. reporting a possible vulnerability in an unreleased OS, whereas a serious flaw in the design of OS X (here, today, right now) has not been talked about at all.