Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Operating Systems Software Windows IT

Possible RSS Abuse in Longhorn 214

dMill writes "There has been a lot of discussion about Microsoft's decision to bake RSS into Longhorn (see previous Slashdot coverage) but the obvious security implications seem to be on the back burner. eWeek has a story discussing the risks and Don Park is also warning about the potential for abuse and exploitation. For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."
This discussion has been archived. No new comments can be posted.

Possible RSS Abuse in Longhorn

Comments Filter:
  • by zerocool^ ( 112121 ) on Thursday June 30, 2005 @11:59AM (#12951394) Homepage Journal

    Worse than worms?!? Worms can get into your system, slave it, erase or steal data, slow it down, advertise to you, and any number of other things! What's worse than lost data, identity theft, popups, and a slow computer? Strangulation via TCP/IP?

    ~Will
  • OS X (Score:5, Insightful)

    by m0rph3us0 ( 549631 ) on Thursday June 30, 2005 @12:00PM (#12951404)
    I guess OS X must be REALLY insecure then.

    There is a big difference between RSS being a security risk and a bad implementation of an RSS reader and poor security model being insecure.
    • Re:OS X (Score:3, Informative)

      by masklinn ( 823351 )
      Last time I checked, Safari had RSS support and iTunes 4.9 had podcasting but OSX itself didn't integrate RSS & podcasting into the kernel or os space...
      • Last time I checked, Safari had RSS support and iTunes 4.9 had podcasting but OSX itself didn't integrate RSS & podcasting into the kernel or os space...

        1. Define "OS Space".

        2. What on Earth makes you think Microsoft will put an RSS reader into kernel space in Windows ?

  • by mrhandstand ( 233183 ) on Thursday June 30, 2005 @12:01PM (#12951416) Journal
    So what we are being told it that downloading something from a potentially untructed source and then running that data casn lead to bad things? Oh My!

    When are we going to stop acting like each new protocol or application vulnerability is a new thing? Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Thursday June 30, 2005 @12:06PM (#12951458)
      Comment removed based on user account deletion
      • I understand what real OS's do...I run one. :-D Unfortunately, the VAST majority of people don't, so we get to hope for NX and data sanitization.
        • Re: (Score:3, Insightful)

          Comment removed based on user account deletion
          • COM and it's OLE predecessors

            You, just like everyone else, seem to be confused on what COM, OLE, ActiveX, etc are and how they relate.

            COM is simply a CROSS-PLATFORM binary interface standard. It isn't Windows only, either.

            OLE is a SET of defined COM interfaces to Link and Embed Objects in documents (and similar). ActiveX was part marketing gimmick and part new version of OLE. This brought forth the mighty IDispatch interface for Automation.

            http://www.orafaq.com/glossary/faqglosc.htm#COM [orafaq.com]
            • Comment removed based on user account deletion
              • The point, besides your nitpicking know-it-all attitude is that MS's lack of data/code seperation has lead to nasty NX hacks and processor tricks to solve a problem that other OS's don't have.

                But data and code are as separate on Windows as they are on any other OS. The problem with Windows has nothing to do with this. The largest problems are:

                1. Much of the code was written without concern for security by people who didn't really understand how to make it secure. This lead to things like the RPC serv
      • Real systems seperate executable code and data effectively without resorting to things like NX

        These memory segments are separate, but nothing will prevent a CPU from executing valid code in a data segment. Overflow exploits work by diverting execution to code stored in data. The whole point behind NX is to prevent that.
      • Microsoft has this great idea with Windows 95 that things should be "document centric"; you don't open an application to print a document, you drag the document to the printer! Magic!

        I find it laughable you blame this UI paradigm on Windows when MacOS and OS/2 were doing it (and advertising it) _years_ beforehand (and the concept itself is even older). Microsoft were 5 - 10 years late to the pervasive drag & drop, sorta-object-oriented, document-centric interface, yet somehow it's their fault ?

        For s

    • Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.

      Even these may not be enough. I think it's going to be really hard to get good, ubiquitous input sanitization. Folks will keep generating new and interesting dynamic, networked appplications, vulnerable in new and interesting ways...

      A nice tip-of-the-iceberg example are notes on supported Python versions from the Zope team. They recommend Python 2.3.5, not the new 2.4.1, not for sta
  • by slapout ( 93640 ) on Thursday June 30, 2005 @12:01PM (#12951417)
    ...cause Longhorn is going to be built on secure .Net technology......oh wait....nevermind. :-)
  • What!? (Score:3, Funny)

    by jb.hl.com ( 782137 ) <joe@@@joe-baldwin...net> on Thursday June 30, 2005 @12:07PM (#12951467) Homepage Journal
    What retard decided to put binary data in RSS? Or would allow execution of code linked to by an RSS feed? That is truly the most retarded thing Microsoft could have done with regards to security. It's like a condom with the capability to have semen smeared on the outside. Utterly fucking stupid.
    • Re:What!? (Score:3, Insightful)

      by DrSkwid ( 118965 )
      All data is binary, anything else is an illusion.

    • Re:What!? (Score:4, Informative)

      by I confirm I'm not a ( 720413 ) on Thursday June 30, 2005 @12:20PM (#12951596) Journal

      What retard decided to put binary data in RSS? Or would allow execution of code linked to by an RSS feed? That is truly the most retarded thing Microsoft could have done with regards to security.

      That would be Adam Curry and Dave Winer [ipodder.org], an MTV DJ and a 'net hacker (the guy behind RSS1 and RSS2, IIRC)

      Embedding RSS (and, more importantly, the RSS "enclosure" magic that enables podcasting) is right up there with "let's embed the browser right into the OS", but to be fair to MS it wasn't them who decided to put binary data into RSS. Though I bet they're kicking themself right now - "no patents for us!"

    • Re:What!? (Score:2, Informative)

      Joe Baldwin is amnesiac? There's one for the E2 rumour mill.
    • What retard decided to put binary data in RSS?

      Adam (how's my hair?) Curry, formerly of eMpTyVee fame...
    • It's like a condom with the capability to have semen smeared on the outside. Utterly fucking stupid.

      Not be picky or anything..

      1. I have yet to see any vendors applying techniques making the smearing of cement on condoms impossible.
      2. Smearing a condom with cement would make it useless, although extremely secure. I think would most people would agree that this is not a description which can be aptly applied to Microsoft.

    • "What retard decided to put binary data in RSS?"

      Dave Winer, for one. He's a lot of things, but he isn't a retard. :-) I'll point out, though, that there's nothing insecure about moving binary data. Many web browsers, nntp clients, mail clients, etc., on many operating systems are known to move binary data with complete safety. The trick is to keep a clear distinction between data, which is safe, and code, which is dangerous.

      "Or would allow execution of code linked to by an RSS feed?"

      Now, if this were don
  • by Anonymous Coward
    Oh I see,
    Don Park is warning!

    Glad to hear what Don Park has to say about this story.

    I love Don Park, I read every word he writes!

    WHO THE FUCK IS DON PARK?
  • Common sense (Score:3, Insightful)

    by Anonymous Coward on Thursday June 30, 2005 @12:08PM (#12951475)

    RSS is a transmission vector. Data can get onto your system through RSS in the same way it can get onto your system through email, through floppy disks, through web browsing, and so on.

    Wherever there's a transmission vector, there's possibility for infection if applications that consume that data are insecure.

    So basically, this "possible abuse" warning is simply saying "You know those applications that suck up lots of untrusted data? If they are insecure, you may have problems!" Sorry, but there's nothing new here.

    In fact, having it built into Longhorn could reduce the likelihood for security holes. All the RSS-consuming applications use their own home-grown parsing routines right now. Switching to one shared library means there's only one place for vulnerabilities to arise in this respect, and when each vulnerability is fixed, it will be fixed for all the applications at once.

    On the other hand, this is Microsoft that is writing the shared library, and we all know how secure their coding is. Internet Explorer hasn't had any meaningful updates for four years, and they are still finding holes in it on a regular basis - which means that every application that embeds Trident (Internet Explorer's rendering engine) are constantly in a state of insecurity. It all comes down to the benefits of shared libraries versus the incompetence of Microsoft.

    • Yes it's a vector. And MS wants to control that vector. If you don't see the parallels to how MS pushed IE on the masses, you haven't been paying attention.

      When things start getting messy down the road, and the TPTB want to hide the truth from the masses, what better way than to control RSS feeds.

    • Switching to one shared library means there's only one place for vulnerabilities to arise in this respect, and when each vulnerability is fixed, it will be fixed for all the applications at once.

      So this is like ordering a #4, instead of having to order a Double-Whopper with Cheese, Large Fries and Large Coke all separately? Sounds simple.

      May I take your order?

      Yeah, we'll each have one library vulnerability, with one Microsoft Security Bulletin, a Microsoft Knowledge Base article, a BugTraq ID, a CVE
  • by team99parody ( 880782 ) on Thursday June 30, 2005 @12:09PM (#12951489) Homepage
    One thing we often overlook is that weak security is actually in the interest of Microsoft, because it's a primary drivers of corporate upgrades.

    Many businesses are still content with Windows2000; and see little reason to upgrade to Longhorn. One of the easiest buttons to push to get a CFO to approve upgrades is finding security holes in the old systems.

    As long as Microsoft's business model is so dependant on bleeding it's existing customers until they're dry; I don't think it's really in their interest to stop security holes. Of course they don't want to launch Longhorn with a bunch of old IE holes that are already exploited, so they need to find new areas for this. Slowly adding new holes like RSS; where the holes may not be found for many years is perfect for the upgrade plan.

    [yes, it was a troll; but I think there's a truth to the fact that security weeknesses in Windows is a major driver of upgrades]

    • Mod parent up (Score:4, Interesting)

      by Animats ( 122034 ) on Thursday June 30, 2005 @12:23PM (#12951622) Homepage
      That's exactly what Microsoft tells the huge number of business users still running Windows 2000. It's not a troll; it's reality.

      Microsoft keeps adding stuff to Windows that allows external programs to initiate activity from the network. Windows Messenger Service. Universal Plug and Play. Windows Update. Active Management. AutoPlay. Now, RSS. And they consistently have them turned on by default. This guarantees a large supply of future security holes.

      In ten years, they haven't even been able to secure Outlook.

    • by dioscaido ( 541037 ) on Thursday June 30, 2005 @01:56PM (#12952394)
      Insightful, except for the fact that I'm a developer on Longhorn, and I have to spend endless hours pouring through my designs with security groups within Microsoft. And once my component is ready, the source is shipped to the security group for one final run through for vulnerabilities.

      While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority. We're actually seeing for the first time security concerns trumping 'user friendliness', which is great. Anyway, we have too many eyes from different groups going through oru designs and actual code for people to make such shady business decisions.
      • by rhizome ( 115711 ) on Thursday June 30, 2005 @02:14PM (#12952562) Homepage Journal
        While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority.

        That's fine, but the fact remains that Microsoft is adding new attack vectors just as they are incorporating new technologies to deal with security holes (which themselves qualify as potential vulnerabilities). It may be a stereotype, but the culture of "Uncle Bill" really holds sway here, that Microsoft sets itself up as both the cause and solution to security problems and extending RSS to include executable binary code is just as smart as ActiveX in the browser. That is, "not very," for the majority of users, and "definitely not" for the wild-and-wooly Internet environment.

        Keep in mind Hanlon's law here. It's not enough to say that Microsoft is feeding a conspiracy by making shady business decisions because I don't think they are. They just can't help making dumb ones. Refer to the allegory of the scorpion and the frog [allaboutfrogs.org] for further illustration.
        • Refer to the allegory of the scorpion and the frog for further illustration.

          You're going to have to explain this to me - are you saying that Microsoft is going to pull down it's userbase deliberately because it hasn't or won't consider it's own future?

      • Thanks for the informed response to my troll [argh, I was going for a cheapshot conspiracy-theory-funny and I even said I was trolling yet I still got modded up (go figure)]

        "We're actually seeing for the first time security concerns trumping 'user friendliness', which is great."

        Is it great? As someone with stock in Microsoft, I wonder if Microsoft's newfound obsession with security is a poor strategic decision that really doesn't play to Micrsoft's strenghts. Computer security is really an area of

  • by stinerman ( 812158 ) on Thursday June 30, 2005 @12:10PM (#12951493)
    RSS abuse has gone on far too long. It may seem unthinkable to some people who long for an RSS of their own (but have had to adopt), but some people do abuse RSS.

    If you see your RSS feed has some broken links or other irregularities, report it immediately to your sys admin -- even if the RSS explains it away as random line noise or CRC errors. Protecting one's abuser is a sign of continued abuse.

    Only YOU can help stop RSS abuse!
  • by B5_geek ( 638928 ) on Thursday June 30, 2005 @12:13PM (#12951517)
    ...decision to bake RSS into Longhorn... ...on the back burner.

    No wonder MS says they can't remove things like IE from the operating system; They cook it all together!!!

  • Uh... (Score:4, Insightful)

    by Momoru ( 837801 ) on Thursday June 30, 2005 @12:13PM (#12951518) Homepage Journal
    I see the comments are already filled with "What do you expect its microsoft!!!" and "Hah! hacked b4 its out!!!" comments... This is just speculation about a potential vulernability, in a feature that is not even in a beta in an OS that is not even in beta. Cripes, at least wait until it's out before rushing to any judgements...you know you all use Windows anyways.
    • Because MSFT is known for implenting good ideas poorly, and then extending them MSFT style.

      When active X was new people were pointing out the potential vulernabilities as well. MSFT ignored those programmers. by 2003 Active X viruses were common place and being launched Daily.

  • by gowen ( 141411 ) <gwowen@gmail.com> on Thursday June 30, 2005 @12:13PM (#12951521) Homepage Journal
    vulnerabilities in iPod codec, then podcasting is a good way to deliver overflow inducing content.
    Only on slashdot can people find a way to blame (putative) Apple vulnerabilities on Microsoft.
    • The word is Don Park's, and the problem here is that embedding RSS/Podcasting deep into the os allows attacker to use overflows to inject code right into the OS' libs&spaces instead of merely crashing/killing the application.

      It's kinda like ActiveX Vs XUL.

      Weapon box versus sandbox and that kind of neafty things
  • People have some predefined conceptions and opinions when it comes to Microsoft products. Being crappy, buggy and insecure are some of the deep-rooted features. We just can't say "No" to them. Come on Longhorn guys - I want features that might burn down my computer :)
  • With the brilliant Innovation (TM) that Microsoft is always bringing to the computer world, why should we have to worry about anything.

    More seriously, by the time Longhorn actually gets released, the world might have passed RSS by. Either that or there will be several third party applications that will do something similar to what Microsoft hopes to do that will have already been released for XP.

    Additionally, even if Microsoft does make an application that is buggy as all hell and hands every virus

    • Re:Why worry? (Score:3, Insightful)

      by Alioth ( 221270 )
      Yes - you do have to worry about it. Your computer is no longer an island once it's on the Internet.

      At home, I do not run any Microsoft software, yet I still have to deal with the consequences of zombied Windows PCs on broadband connections, deluging my email inbox with spam and chewing up valuable network bandwidth. When SQL Slammer made its attack, it completely knocked out one of the ISPs here due to the massive amount of traffic.

      Microsoft's insecurity affects everyone - even those who don't use MS sof
  • We'll get to test this in what........2 years? Maybe more? I heard OSX might threaten linux, any creedence to this?
  • Easier way (Score:4, Funny)

    by Anonymous Coward on Thursday June 30, 2005 @12:24PM (#12951632)
    Can't MS just develop a specific API for people trying compromise windows machines, it would be less work for everyone.
  • OMG!!! (Score:2, Insightful)

    by oneeyedelf1 ( 793839 )
    In other news Internet Explorer automatically downloads pictures linked to in HTML. Images could contain worms. And be executed by possible buffer overflows when image is displayed. Personally I would love rss intergration for most programs, an easy way to integrate things like changelogs in newer version notifications to decide if updating is worth it, etc etc. I have a feeling lots of cool stuff could be done with this power. I am all about delivering content formated how you want it, where you want it,
  • by BoyBlunder ( 882644 ) on Thursday June 30, 2005 @12:36PM (#12951724) Homepage
    Can we get back on topic and discuss the potential issues with RSS instead of the gratuitous MSFT bashing? All MSFT has done is bring this to the front burner.

    RSS enclosures can move anything. Corrupt the underlying XML (or the data it is trying to move in the enclosure) and all your victims will pull it onto their desktops automatically. An analog is having HTML email and using a preview pane. You wouldn't do that, but RSS enables it. Got a PDF that exploits an Adobe vulnerability? Add it as an enclosure. Got an image? Same deal. Got a zip? Go ahead. It's not just the currently trendy podcasting and audio files that pose threats. Worse yet, there are many RSS clients our there, not just a few (unlike browser or email). Many opportunities to find holes. Most clients use IE to render the HTML, so there's also the risk of phishing, embedded script, moveable code and other standard HTML malware. What are the vendors doing to mitigate this? Good question. Anyone from feedburner, say, care to comment?

    RSS doesn't stand for Really Scary Security - yet. MSFT just made it a much richer target - let's save the guesswork about the quality of their implementation for when it actually shows up.

  • I wouldn't be surprised if Microsoft is doing this on purpose to show that only their new anti-virus program will be effective against these new threats since the Script Kiddie Support API is undocumented for outside anti-virus companies.
  • Because RSS allows enclosures, and because enclosures contain songs, and because songs can be ill-formed to allow overflow attacks -- therefore there is a weakness in RSS?
    Perhaps a weakness in the codec, sure. Or a weakness in who you decide to download files from. Or even a weakness in your firewall applicaiton allowing sneaky code to talk to outside IP addresses. But a bug in RSS itself?
    I must be missing something, because that doesn't add up, unless the goal is to change RSS somehow, simply because Lo
  • For an RSS-exploit in Longhorn that:

    Uses a priviledge escalation to become administrator and then downloads a new and more secure operating system (e.g. OpenBSD) to replace Longhorn.
  • MS vs Apple (Score:4, Interesting)

    by Anonymous Coward on Thursday June 30, 2005 @12:46PM (#12951805)
    I'm far from an MS fan, doing all of my work for the last few years on Linux, and being currently in the process of moving to OS X. But I have to ask, why is /. reporting a possible vulnerability in an unreleased OS, whereas a serious flaw [machacking.net] in the design of OS X (here, today, right now) has not been talked about at all.
    • Yeah, but if you have write access to arbitrary locations, you could always just write over applications with your own stuff. This isn't any more dangerous than usual. There's no remote or even local exploit here, just a good spot for trojans to lurk, which can always be done anyway.Well, at least until we get a per-application security model to replace the per-user one.
  • Will it come with a new filesystem? No.

    Will it come with a new command line interface? No.

    Will it come with risk-laden RSS support "integrated" into the OS so that it can't be uninstalled? Yes.

    Nice set of priorities there, Microsoft. I hope you aren't too surprised when I prioritize my cash in such a way that I stick with NT 5.x.
  • It seems [userfriendly.org] that Slashdot isn't the only ones covering this. :-)
  • I FAIL to see how RSS can be a dangerous vector for viruses. Why do you ask? Well, first off, it's no worse then a web browser or e-mail which both happen to have the same ability to download executable binaries. Second, Mozilla Firefox, iTunes, Safari and proabably IE 7 currently have no way of automatically running code. I have seen more iPodder clients (iPodder itself did have the problem but does not any more) that have the ability to open the media file upon download. The problem is much worse if
  • Integrating RSS into the OS is a bad idea, but not nearly as bad an idea as integrating a web browser, which has all the same issues and more. RSS doesn't fundamentally do anything more than a web browser, aside from automating revisiting a site. It doesn't deal with local files, so there's no trusted files going through it to complicate authentication issues. It's also much more limited in the expected control of the user experience, so there's less chance to spoof things.
  • Most people here would -welcome- that kinda content..
  • In this instance RSS represents a particular attack vector (or a transport mnechanism) that an exploit (like a virus or a worm) can take to attack the host system.

    I think it is interesting that Microsoft is using a well known protocol in Longhorn, especially one that wasn't developed at Microsoft. If RSS in Longhorn is exploited then the folks their can point back to the open source RSS development community and look for help getting the vector or the exploit addressed.

    It will also be intersting to see
  • Using phish for bait?
  • This latest bit of news exemplifies why Microsoft will never be able to secure Windows -- why, in fact, it will never be able to even come close. Microsoft has this philosophy of supporting features like RSS in the lowest levels of the OS, in ways no sane person would even consider, never mind implement. Programmers always make mistakes. That's a given. All it takes is one small mistake to compromise the entire system. You don't add this sort of feature without being very careful (and we all know how succes
  • I'm telling you. Push ^D^D^D^D Active Desktop ^D^D^D^D RSS technology is the next big thing...
  • and people are already talking about security holes?

    Windows really raises interesting expectations.

I THINK THEY SHOULD CONTINUE the policy of not giving a Nobel Prize for paneling. -- Jack Handley, The New Mexican, 1988.

Working...